Core Concepts
The Lens SDK is designed around a set of robust, interoperable components. A thorough understanding of these core concepts is essential for leveraging the full power and security of the SDK. This document provides a detailed overview of the foundational pillars of the Lens architecture: the LensService
, the Site
Program, the Federation Model, and the Access Control System.
1. The Layered Architecture
The SDK employs a strict, layered architecture to promote modularity, security, and maintainability. Each layer has a distinct responsibility, and communication flows vertically through well-defined interfaces.
graph TD A[π± <b>Application Layer</b><br><i>UI, Backend, CLI</i>] -->|Consumes| B[π§© <b>Service Layer</b><br><i>LensService: Public API</i>] B -->|Orchestrates| C[π <b>Federation & Program Layer</b><br><i>FederationManager, Site Program</i>] C -->|Built Upon| D[π <b>P2P Framework Layer:</b><br><i>Peerbit</i>] %% Styling classDef layer stroke-width:1px,rx:10,ry:10; class A,B,C,D layer;
Service Layer (
LensService
): This is the canonical public interface for the SDK. It is the sole entry point for any consuming application. Its purpose is to provide a stable, high-level, and asynchronous API that completely abstracts the complexities of the underlying P2P network and program logic. The service layer is responsible for managing the lifecycle of the P2P client and the activeSite
program.Program Layer (
Site
Program): This is the “on-chain” or decentralized backend of the application. TheSite
program is a stateful, replicable “smart contract” that defines the application’s data schemas, databases, and the immutable rules governing data access. It is the ultimate source of truth for all content and permissions within a givenSite
.Federation Layer (
FederationManager
): This is a specialized, internal component managed by theLensService
. It orchestrates all inter-program communication. While theSite
program defines what data exists, theFederationManager
defines how that data is discovered, synchronized, and shared between differentSite
instances.P2P Framework Layer (Peerbit): The foundational layer that provides the necessary primitives for peer-to-peer networking, database creation, data replication, and cryptographic identity. The Lens SDK is built directly upon this robust framework.
2. The Site
Program: A Sovereign Digital Entity
The central construct in the Lens ecosystem is the Site
. Conceptually, a Site
is a sovereign, addressable, and self-contained digital space. It functions as a decentralized application instance, complete with its own databases and access control system.
Key Characteristics of a Site
- Unique, Verifiable Address: Every
Site
is identified by a permanent, cryptographic address derived from its owner’s public key and its initial parameters. This address is used to locate, open, and interact with theSite
on the network. - Structured Data Stores: A
Site
is a collection of discrete, purpose-built data stores forReleases
,ContentCategories
,Subscriptions
, and more. This structured approach ensures data integrity and organizational clarity. - Explicit Permissions: Access to a
Site
is not public by default. All write permissions are explicitly granted by an Administrator through a robust Role-Based Access Control (RBAC) system.
3. The Federation Model: Principled Data Exchange
Federation is the process by which independent Site
instances share data. The Lens SDK implements a principled, subscription-based model to ensure that all data exchange is intentional and secure.
The Federation Lifecycle
Explicit Subscription: The process is initiated by a user with
subscription:manage
permission (typically aModerator
orAdmin
). To federate, they create aSubscription
record containing the targetSite
’s address. This action is a deliberate declaration of trust.State Synchronization: Upon the creation of a
Subscription
, theFederationManager
performs two types of synchronization:- Historical Sync: A one-time process that connects to the remote
Site
and replicates its existing public content (e.g.,Releases
). - Live Sync: The manager subscribes to the remote
Site
’s dedicated pub/sub topic, creating a persistent, real-time communication channel for immediate updates.
- Historical Sync: A one-time process that connects to the remote
Data Provenance: All data received via federation is immutable and retains the cryptographic signature of its original author and the address of its originating
Site
. This guarantees that the source of all content can be verified.Lifecycle Termination: If a
Subscription
is deleted, theFederationManager
performs a cleanup operation, purging all data associated with the unsubscribedSite
from its local databases.
4. The Access Control System (RBAC)
Security is integral to the Site
program. The system is built on a robust and secure Role-Based Access Control (RBAC) model, managed by a dedicated internal RoleBasedccessController
. This controller is the ultimate authority for all actions within a Site
.
Identity and Signing
Every action that modifies a Site
(like adding a release or assigning a role) must be cryptographically signed. The Lens SDK supports two models for this identity:
Default Node Identity: If you initialize
LensService
without specifying a custom identity, it will use an auto-generated identity tied to the Peerbit node itself. This is suitable for server-side scripts or headless nodes where a single, consistent identity is desired.Custom Wallet Identity: For user-facing applications, the recommended approach is to provide a custom identity derived from the user’s own wallet (e.g., MetaMask). When you instantiate
LensService
with this custom identity, all subsequent actions are signed by the user’s wallet. This ensures that the user, not the application node, is the true owner and author of their content. This is the foundation of data sovereignty in the Lens SDK.
The RBAC Components
Administrators (
TrustedNetwork
): At the top level is aTrustedNetwork
of administrators. Any user whose public key is in this network is considered an Admin. Admins have universal permissions and are the only users who can manage the RBAC system itself (e.g., create new roles, assign roles to users, or add other Admins). The initial creator of aSite
is its firstAdmin
.Roles: A
Role
is a named collection of specific permissions. ASite
is initialized with a set of default roles, and Admins can create new custom roles as needed.Permissions: A
Permission
is a granular string that represents a specific action, typically in the format"resource:action"
(e.g.,"release:delete"
).Assignments: An
Assignment
is a verifiable link between a user’s public key and aRole
. A user gains permissions by virtue of the roles they are assigned.
Default Roles and Permissions Table
A Site
comes with a clear set of default roles, providing a sensible permission structure out of the box. An Admin can perform all actions listed below.
Action / Permission (resource:action ) | Moderator | Member | Guest | Description |
---|---|---|---|---|
release:create | β | β | β | Can publish new Release documents. |
release:edit:own | β | β | β | Can edit Release documents they personally posted. |
release:edit:any | β | β | β | Can edit Release documents posted by any user on the site. |
release:delete | β | β | β | Can delete any Release from the site. |
featured:manage | β | β | β | Can create, edit, or delete FeaturedRelease entries. |
category:manage | β | β | β | Can create, edit, or delete ContentCategory documents. |
blocklist:manage | β | β | β | Can create or delete BlockedContent entries. |
subscription:manage | β | β | β | Can subscribe to or unsubscribe from other sites. |
- Guest (Implicit Role): This is the default status for any user who is not an Admin and has not been assigned any roles.
Guests
have read-only access and cannot perform any write operations.
Federation and Permissions
The RBAC model extends intelligently to federated content. While trust is primarily based on the subscription, the Lens SDK provides a powerful override: a local Admin
or Moderator
can always act on federated content (e.g., delete a stale post from an unsubscribed site). This ensures that local site owners maintain ultimate control over the content stored in their databases.