01 — Philosophy

The architectural constraints that cascade through every other decision in BKA. Each one is load-bearing — break it and the thesis collapses into "yet another social platform."

1. No central content hosting, ever

The single most important constraint. The moment we host content for creators, we are the platform — we get to choose what loads, what's monetized, what's banned. The constraint:

• Content lives at the creator's edge. Their GitHub repos. Their Cloudflare Pages. Their R2 bucket. We don't have copies.
• The indexer holds metadata only. Titles, summaries, tags, sub-IDs, feed URLs — never the post body, never the binary, never the comments thread. If a creator's site goes down, we have nothing to serve in its place.
• No "cached" or "mirrored" content. Caching at the indexer would technically improve perceived reliability and would also make us the platform within six months. Pass.

When in doubt, ask: "do we have a copy of what the user sees?" If the answer trends toward yes, we're drifting toward platform.

2. The creator owns the infrastructure, not us

Each creator brings:

• Their own GitHub account (free tier suffices for a typical creator)
• Their own Cloudflare account (free tier suffices)
• Their own domain (optional — *.pages.dev works free)

We provide the app (BKA), the templates (repo scaffold, viewer site), and the automation (publish pipeline config). We do not provide the substrate.

The corollary: creators can leave us at any time. Their content stays where it is. Their site stays where it is. Their audience never had to know we existed. Leavability is the test for sovereignty.

3. Friction lives at setup; runtime is frictionless

The Cloudflare-account step is real friction. We make it as smooth as possible (guided wizard, OAuth where available, copy-pastable commands) but we don't hide it. It's the price of sovereignty.

Once setup is done, everything else is one click or less:

• Publish a post → push to public repo → Pages auto-deploys → live
• Add a video → upload as GitHub Release asset → metadata-commit auto-deploys
• Update a theme → swap a config → next push picks it up

This is the discipline: setup once, friction-free forever. If a workflow requires repeated manual steps post-setup, that's a bug.

4. Two repos per creator: private working DB + public published surface

The lifecycle is honest. Creators have drafts, scratch, full history, things they regret writing — those belong in a private repo nobody sees. The published artifacts they're proud of belong in a public repo that's their archive.

The publish action graduates content from private → public. The reverse (unpublish) deletes from public but keeps in private. Private is the source of truth for the creator's work; public is the curated outward face.

This also keeps the public repo small + fast + browsable on github.com. See 05_TWO_REPO_MODEL.md for specifics.

5. Federation over centralization

Even where we DO need a small central piece (the discovery indexer), it's pull-based: it visits creators' published feeds on a cadence, never receives pushes. This means:

• Creators don't have to participate in discovery to be sovereign
• A creator can rate-limit or block the indexer at any time
• A creator's surface is findable, not enrolled

The indexer is the smallest possible central thing. If it could be smaller still (zero), we'd make it zero. The minimum non-zero thing it does: serve discovery queries against the index it built from public feeds. See 07_DISCOVERY_LAYER.md.

6. AI at build time, AI in the discovery layer — never in the creator's request path

When a visitor hits a creator's site, no AI runs. No model call on page load. No personalization layer. The page is static-generated, served from edge cache, deterministic.

Where AI lives:

• Authoring: the BKA app's chat-with-doc surface uses AI to draft / edit / polish posts before publish
• Discovery: the indexer's "what should I see next" route invokes BabyAI specialists to route the query

Both are bounded. Neither inflicts model unpredictability on the creator's own site experience. This mirrors the QC-harness / no-agents-as-product stance from the broader memory.

7. Same identity across the binary-blender app stack

Google SSO is the cross-app identity layer (per the community-pattern proof). When you sign into BKA, the same JWT works in Foundry, Community, and any future app. We never invent app-specific accounts.

For BKA specifically: the Google identity is used for the indexer's "this is my feed, please index it" registration call, and for any creator-to-creator or visitor-to-creator interactions that need attribution.

The creator's audience (their subscribers, commenters) don't need Google. They can subscribe via email (Cloudflare-side handler) or RSS (no identity at all). Identity is only required where the indexer or the cross-app surface needs it.

8. Automation is the product

The thing that justifies BKA's existence over "just learn Astro yourself" is that we automate the wiring nobody wants to do twice:

• One-shot Cloudflare account provisioning (Pages project, R2 bucket, custom domain config)
• Two-repo provisioning (private + public, with the right .gitignore, the right CI/CD config)
• Publish pipeline (GitHub Actions, release-asset upload, metadata commit, Pages build trigger)
• Feed generation (/feed.json rebuilt on every publish, matched to the indexer's schema)
• Theme rendering (no build step the creator runs by hand)

Every piece of automation is a one-time investment that frees the creator to actually create. If we ever find ourselves shipping a "now do this manually" instruction post-setup, that's a regression.

9. Open-source, no premium tier

The whole app ships under a permissive license (likely MIT). No paid tier. No feature flags gated behind subscriptions. The minute we add a "pro" tier we have a customer relationship and an incentive to lock creators in.

We sustain via:

• Christopher's other consulting (TAO, Accelerando) — see binary-blender funnel memory
• The book series (AI WIN-WIN, the textbooks) — see book-series memory
• Optional sponsor links in the GitHub repos

The creator pays Cloudflare directly. We never see a dollar.

10. What this stack is NOT for

• Creators who want a hosted SaaS. Substack, Beehiiv, Medium exist for this.
• High-throughput live-content platforms. Federated pull-discovery has minutes-of-latency; if you need 60-second virality, this isn't it.
• Anonymous platforms. Google SSO is the identity layer; if creators need pseudonymity beyond what GitHub + a pseudonymous Google account provides, we don't help.
• Walled-garden communities. The whole thing is public-by-default. Private content channels need a different design.