about

this is a plato instance, hosted by @terribic. questions or feedback.

rules

be civil, especially when disagreeing. no racism, sexism, ableism, homophobia, or transphobia.
no porn, no illegal content.
no ads, spam, scams, or doxxing.
mods are accountable; the modlog is public, and votes can reverse soft removes.

these rules also appear in the footer of every magic-link email this instance sends.

privacy

plato is built around storing as little about you as possible. specifically:

your email address is never stored. when you sign in, the forum derives a one-way hash of your email (knowless identity) and discards the original. the hash is per-instance, so the same email yields different identities across forks.
your IP address is held briefly for rate-limit accounting. it isn't logged to disk beyond the rate-limit window and isn't shared with anyone.
no analytics, no tracking pixels, no third parties. the forum doesn't load JavaScript, fonts, or assets from any host except its own.
posts and comments are public by design. there are no private subs, no DMs, no shadow visibility. what you write is what other people see.
moderation is auditable. every mod action lands in a public modlog. no shadowbans, no quiet removals.

how this place works

the operator. the person hosting this instance runs the server but has no special power inside the forum — no admin role, no override of sub mods, no quiet removals. their job is hosting; community decisions stay with mods and members.

posting. anyone with an account can post in any sub. you don't need to be a "member" or get approved. accounts are made by entering an email and clicking a magic link — no password, no profile setup, the email itself is hashed away and never stored. you pick a sub from the list when you write.

subs. a sub is a community around a topic. anyone signed in can create one; the creator is its mod. each sub has rules in its description, optional flairs, and an auto-collapse threshold for flagged posts. there are no private subs and no membership lists — visibility is binary, public or doesn't exist.

mods. each sub has exactly one mod (the creator) and any number of co-mods the mod has promoted from its subscribers. mods can collapse posts (soft-hide; reversible by community votes), remove posts (hard, for harassment / illegal content), ban users from their sub, and resolve flags. every mod action lands in the public modlog with the mod's pseudonym and reason — no shadowbans, no quiet removals.

flags. if you see a problem, click the flag button. flags go into a queue every mod of that sub can see; the first mod to act handles it. enough distinct flags on the same target also auto-collapses it pending mod review.

read-only subs. a sub becomes read-only — content viewable, no new posts/comments/votes — when its mod steps down without a successor, or when no mod has been active in it for 30 days (a 28-day warning surfaces in a banner before that). a current mod can flip it back to active anytime. if no mods remain, the sub stays read-only as a permanent record; the community migrates by creating a successor sub. the operator does not assign new mods or override sub state — communities decide their own fate.

leaving. request your archive from /memlog; mods of a sub (or any 60-day continuous subscriber) can request that sub's archive from /sub/<name>/manage. you'll get a memlog notification with a token-bearer download link. the archive is yours; importing it elsewhere or never importing it is your call.

interop & portability

your data is portable, and the export shape is human-friendly enough to read without plato installed.

personal archive — every logged-in user can request their own archive (no tenure gate; your data is yours from day one). it contains your authored posts and comments, your subscriptions, mod actions on your content, and mod actions you took. request from /memlog; the worker builds a signed .tar.gz within the next off-peak window and a memlog notification surfaces a token-bearer download link.
sub archive — mods can export any sub they moderate; non-mods can request after 60 days of continuous subscription. contains every post, every comment, every mod action, and vote tallies (no per-voter handles). request from /sub/<name>/manage.
readable offline, in any browser — both archive kinds bundle a self-contained index.html static reader: no JavaScript, no external assets, no plato install needed. open it directly from disk. above 100 items the reader auto-paginates with kind + per-year chips so a multi-year sub doesn't become one giant page.
sub archives are importable into any other plato instance via URL paste at /sub/create?mode=import — the destination fetches the bytes, verifies the signature, and rehydrates posts / comments / votes / modlog with original timestamps. imported handles render dim+italic with a per-sub [i] chip carrying provenance. personal archives are not importable (the posts inside are tied to subs on the source instance).
posts are plain markdown on disk from the moment you submit them. posts/<date>-<id>.md files are the canonical store; the database is an index, regenerable. you can read them with cat, edit them with any text editor, version them with git, or bypass plato entirely and feed them to a static-site generator.

archive signing

every export this instance produces is signed with an Ed25519 keypair belonging to this server. the public half lives at /.well-known/plato-pubkey and its fingerprint is:

sha256:7a5f297da48fd02145397cd2d8cfdaaf54d45801f593a07cd9d167eafc9c2a5f

each archive ships with a sibling .tar.gz.sig file containing the detached signature; the manifest's instance.pubkey_fingerprint field carries the same value. an importer fetches the pubkey from this URL, confirms the fingerprint matches, then verifies the signature over the gzipped bytes.

if this operator opted into OpenTimestamps anchoring, archives also ship with a .tar.gz.ots proof. that proof anchors the archive's hash to a Bitcoin block within roughly an hour after stamping, giving anyone a way to prove the archive existed before that block's timestamp without trusting plato or this operator. a missing .ots file means OTS wasn't enabled here — verification falls back to the Ed25519 signature alone. see opentimestamps.org for the verification recipe (ots verify <archive>.tar.gz.ots).

if you don't trust this operator

that's fine — the forum is shaped so you don't have to. plato is the open-source codebase running this instance (Apache 2.0). clone the repo, copy forum.db + posts/, set a fresh KNOWLESS_SECRET, and run your own. handles re-derive per instance — same email yields different pseudonyms across forks — so leaving is a fresh start, not a sticky identity transplant.