## Assertions
Peaceful Passport connects every Peaceful Foundation project through a shared record of contribution.
Volunteers earn badge sthat reflect what they’ve actually done — posters placed, memes created, meals hosted, guides written.
Each action becomes a verifiable proof of participation rather than a self-claimed reputation.
This system keeps campaigns aligned with their original values.
When people add their work — like a meme, poster, or event — to their passport, it provides transparent credit and context.
It shows who contributed what, when, and where, while keeping privacy intact.
If questions ever arise, it’s easy to trace which content came from real volunteers rather than impersonators or outside actors.
For everyday users, the passport looks and feels like a simple, customisable profile — public or private, sharable like a “link in bio.”
For the organisation, it functions quietly as a sign-in mechanism and trust layer across all projects: QuitEasily, Calm.College, LearnStuff.Today, Reasonable.Diet, and Hexagons.World.
It ensures:
- genuine volunteers can be recognised and encouraged,
- campaigns can highlight effective or popular contributions, and
- bad actors can be identified or disavowed without confusion.
Ultimately, Peaceful Passport replaces abstract reputation systems with calm, factual records of participation.
Each person’s contributions speak for themselves — the system simply makes them visible, verifiable, and portable across every corner of the movement.
A quick, concrete example
A bad exammple: A campus app adds 'thumbs-up' ratings to people who attend events. Within weeks, cliques trade ratings; newcomers get ignored; one awkward interaction follows you around all semester.
A better example: The app logs time‑boxed, factual badges only: “Attended 3 study circles in Oct,” “Co‑hosted 1 cooking night.” The campus dashboard shows anonymised, aggregate adoption (“45 students co‑hosted something this week”)—no personal leaderboards
## Design and Scope
Use passkeys + social shard recovery utilising friends irl
Represent contribution via attestations, not ratings.
Share only aggregates with institutions—DP/thresholds/opt‑out.
Publish inputs, weights, and uncertainty when aggregating.
Keep infra static, forkable, mirrored.
just scoped for peaceful foundation
we are not making a general purpose reputation system
we are working on this as part of [redacted]
should not be achievement stuff
should just be attesting from other people
perhaps including in the distribution of identifiers
but the peaceful passport could be linkable
seed such a process
active in community
QR codes irl
## Core Functions
makes Peaceful Foundation co‑option visible and repudiable,
signals in-group participation (visible but lightweight)
protects ambassadors → no need to use personal accounts
clout through earned achievements, not empty status games
ensures consistency across PF campaigns (one identity across quiteasily, calm.college, etc.)
continuity over time → records contributions even as campaigns shift
shields privacy → separates public involvement from personal life
lowers friction to join → posters + meetups link directly to a passport
active contribution includes lightweight internal email address (for coordination only)
## Identity
a [redacted] corresponding to [redacted] as psuedorandom, scarce identifier that can be publicly shared without risk; this creates an identity “investure” system, as opposed to ratings or reputation scores
### Authentication
consistent system across local communities
passkeys as default; recovery by recovery key + social shards
for most people, functions like a Linktree or LinkedIn page with badges
### Link in Bio-like Portal
lightweight profile page, statically hosted
controlled by the owner; public-facing if desired
simple to share in posters, invites, or online spaces
achievements and campaign participation visible at a glance
“show/hide contributions” or “hide badges”
### Profile and User Fields
10 digit identifier
later corresponds to [redacted]
(pairwise subject identifiers: optionally, or on some systems, a user’s public ID can be different from their per‑site subject)
display name
short bio (64 chars) + longer bio (256 chars)
skills/interests (ties into learnstuff.today)
location (Level 0–2, optional)
languages
links (3–5 max)
for moderation, send to LLM and have reporting functionalities
### Additional Proof
eduGAIN auth
track if they're a student (and not where they're from) from calm.college
but this is also optional
### Badges
achievements for campaigns + local activity
weighted by participation, not status
visible markers of involvement
participation logged through consensus → other passport holders verify if it feels real
badges could also have a 'weight' to them for light gamification
this is fine in our case since not based on opinions
#### Examples
quiteasily → put up poster or x number of confirmed posters
learnstuff.today → learned a skill, created article
reasonable.diet → added/commented recipe
calm.college → authenticated participation (not staff/student labels)
hexagons.world → surveys, local info, linking stats to lived experience
future campaigns (e.g. homelessness food drives)
### Customisation
people can customise their profile
easy version with colours and such
or css akin to neocities or myspace
css is sharable and forkable
only some selectors
peaceful passport has overlay up the top
can disable custom themes
or apply your own
report theme abuse
Offer a “dual profile”: public (few, common badges) vs private (full ledger), and make “public minimality” the default.
### Third-party Badges
possible future option → donating blood, driving safely, cleaning up rubbish
-----
Underneath, the system is actually a nicer version of <redacted> Urbit ID, and the eventual plan is to retire computers and the internet. Fortunately, due to mismanagement the Urbit project has completely failed, but the good news is that everyone on the network completely hates Curtis Yarvin; phew!
We will embrace, extend and enjoy Urbit as local.network, which will be the next step after </redacted>peaceful passport, <redacted> and then merge the system back into Urbit ID.
Urbit is a general-purpose computer written in a deterministic programming language in 60k LOC.
Urbit ID is actually just a number underneath
/~zod, 0/
/~marzod, 256/
/~racnec-palren, / ~mogsub-possum, / ~mislyr-midnyt, /
data underneath is just a ten digit number
urbit-ob turns this into a phonetically pronouncable name
graphic identity 'profile pic' (a sigil) derived from mathematics
peaceful passport
blacklist ID's against already generated urbit ID's
civil war with curtis yarvin
original founder, political writer
sold a bunch of assets to Andreessen Horrowitz (now a16z)
proud investors in cheddr who are "building the TikTok of sports wagering"
basically as a way to distribute capital to Yarvin
and then the VC gave him back the assets for free
currently the network is more than disillusioned [2] [3]
planet dilution through unlocks over time
[1] https://speedrun.a16z.com/companies/cheddr
[2] https://www.compactmag.com/article/the-rise-and-fall-of-urbit/
[3] https://distributedweb.care/posts/who-owns-the-stars/?ref=compactmag.com
curtis yarvin
beliefs:
democratically elected king
everyone is a shareholder of the country
I think this is a reasonable system of government
countless people I've shared such an idea with, agree
however I am repulsed by Curtin Yarvin, when he expressed support and admiration for the CCP
but Curtis would probably sit and agree against genocide and dystopia
but likely would spin and treat a conversation as a debate
as people who have spent a very long time thinking about how right their opinions often do
and he over urbit and everything was super sketchy
required changes
as the goal is to fork urbit ID, and then remerge back into it
identity is not property
distribution through planets gifted to other people
no crypto or web3
no DAO
redistribution of cryptographic property
galaxy is a non‑profit co‑op multisig for region
stars are community‑run
route to stars locally in hexagon
citizen-led
such an approach benefits everyone on the network
as of writing the
new urbit foundation board
after Tlon finally voting and counteracting whales trying to weight
people are ripe for change and new ideas
will get funding for this as a separate organisation
</redacted>
(more info in the strategic plan for [redacted])
-----
## Participation
overview
peaceful passport can record authorship of creative works — images, videos, posters, memes, guides, or any other digital artefacts
acts as calm provenance, not ownership
gives creators transparent credit while preserving anonymity
workflow
when uploading or linking a creation
creator signs the work’s hash with their private key
link to the file or its CID stored in their passport
timestamp and signature verify they were first to publish
only minimal metadata kept: hash, title, date, optional note
server verifies proof
checks signature matches creator’s key
adds attestation entry to passport
public sees: “created image X on date Y,” linking to file or mirror
use cases
memes or posters → show origin and authenticity
AI-generated or collaborative images → clarify human creator
guides, videos, or artworks → visible proof of authorship without needing central platforms
privacy
credit visible, not identity
passport link = pseudonymous signature, not personal name
no location or contact info required
user can choose public or private visibility
“show creative works” toggle in profile settings
hidden works still verifiable cryptographically if later disputed
value
reinforces calm culture of attribution without competition
helps trace campaign materials back to real contributors
allows verification of origin if content is misused or misrepresented
interpretation
if a poster, meme, or image appears without a linked passport
may be anonymous by choice or external copy
audience can weigh trust accordingly
campaigns may highlight verified works to uphold integrity and humour of the movement
future extensions
support CID/IPFS links for decentralised storage
allow co-authorship attestations (multiple signers)
connect to badge system (“created poster adopted 100×”)
integrate optional visual watermark with passport hash for automated discovery
## Other Uses That Mitigate Campaign Problems
prevent impersonation
passport attribution ensures that only verified contributors can publish official materials
impersonators or infiltrators cannot convincingly pose as volunteers
community can immediately disavow off-brand or hostile content
trace content drift
when memes or posters evolve away from original tone
passport history shows lineage — who made edits, when, and why
prevents slow distortion of message or aesthetic over time
helps maintain cultural coherence without censorship
verify outreach legitimacy
volunteers contacting schools, councils, or media can link their passport profile
recipient can instantly confirm they’re a real Peaceful Foundation participant
reduces risk of scammers or misrepresentation in outreach
handle reputation spillover
if a volunteer acts unethically outside Peaceful Foundation contexts
their passport identity remains separate from personal life
allows proportional response — hide, flag, or revoke badges without public shaming
prevents one incident from destabilising entire campaigns
prevent shadow coordination
bad actors cannot quietly centralise control by hoarding admin privileges
all project access tied to verified passport IDs
makes leadership transitions transparent and recoverable
enable safe whistleblowing
a person can post an attested update or concern from their passport
stewards know it’s genuine without revealing personal identity
allows internal accountability without breaching privacy
improve meme and message quality
passport logs allow campaign leads to see which memes or posts were most effective
analytics based on verified authorship prevent fake virality or bot inflation
top creators recognised calmly, encouraging consistent quality
enable cross-campaign synergy
a single passport identity carries over between projects
reduces duplication and confusion when volunteers move between quiteasily, learnstuff.today, reasonable.diet, etc.
keeps shared tone and values aligned across different public fronts
guard against external takeover
if state, corporate, or ideological actors try to co-opt the movement
passport chain of trust makes infiltration visible
only those with real contribution history hold authority
campaign integrity preserved even under pressure
prevent silent data harvesting
passport is static, open-source and privacy-minimal
no central analytics platform collecting behaviour data
all contributions voluntary and visible — nothing scraped behind the scenes
## Authentication
we avoid centralised sign-in
do not run an OAuth provider
would create a single, expensive failure point
require holding personal data
passkeys remove that need entirely
passkeys
local keypair → private key stays on the device
public key → stored and visible in the passport record
no passwords, no secret exchange, no session state
when editing a profile
the device signs a short message locally
server checks signature against public key
update then written to storage
all verification is mathematical, not managerial
static by design
because verification is stateless
the entire system can be hosted as static pages
user records = signed JSON files served via CDN
updates handled by lightweight Workers verifying signatures
no heavy databases or live sessions required
only the minimal data:
— profile info (bio, links, skills)
— public key and key history
— contribution badges and attestations
public keys visible in record
don’t expose risk
users may view or copy their key ID from settings
### Personal
verification can happen in person
QR or NFC scan confirms identity face-to-face
no cloud authentication layer
verification intended for physical meetups, not remote logins
useful for confirming volunteers or attendance at events
ensures “real world” authenticity without surveillance
if you meet someone, you can check:
“yes, this is the same passport that posted that poster”
Use a fresh, signed, short‑lived challenge (expiry ≤ 60 seconds) that includes: verifier nonce, current key id, and a rotation counter.
Require the verifier to fetch the current key id from CDN with ETag/If‑None‑Match and fail closed on mismatch to avoid stale caches.
Encode intents (“I am Alice at this time in this place”) inside the signed response to make replays useless.
### Recovery
recovery without central dependency
losing a device should not mean losing identity
path back is calm, deliberate, and human-verifiable
1. secret code
short, offline, never stored or transmitted
can regenerate full keypair if everything else lost
when used → event recorded as “recovery by master code”
old keys kept as historical, not deleted
continuity preserved through signed rotation
2. local social shards
QR or NFC exchange in person
add a trusted recovery contact face-to-face
shared secret derived from both devices (ECDH-style)
no data transmitted beyond commitment
require t‑of‑n shard approvals (e.g., 2‑of‑5). Shards are pre‑committed to your current key state (key id + monotonic counter) and expire after use.
Show a visible cooldown timer on the public log while recovery is pending, as you proposed, and allow the owner to “veto” if they’re still in control
safety rails
recovery cooldown always visible
helpers can withdraw approval anytime
stewards see public log line (“recovery requested: peer method”)
owner can cancel recovery if they still have access
notifications discreet — no sensitive info leaked
Out‑of‑band notice to prior devices + all recovery contacts when a recovery is initiated and when it completes (no sensitive content; just state change). This greatly reduces silent takeovers.
Signed rotation chains (old→new) are already in your spec; add a mandatory overlap window where both keys can sign to finalise rotation, which blunts rushed hijacks.
a mandatory overlap window where both keys can sign to finalise rotation, which blunts rushed hijacks.
steward fallback
for those without backups, stewards can verify identity
through visible bio traits or known contributions
new key issued after human confirmation + cooldown
all actions logged and signed
recovery record
new key inherits trust via signed rotation
old and new keys both retained
no silent takeovers or resets
public audit trail of recovery attempts (without exposing people)
layers of safety
recovery keys offline and private
social shards distributed across trusted peers
stewards accountable through transparency log
## Technical Design
auth hub
passport.peacefulfoundation.org
main domain for all logins
handles passkey registration, updates, and sign-ins
public profiles
https://user-code.peaceful.foundation
each passport has its own static page
short bio, badges, and links
permanent record at /v/{hash}/profile.json
cached globally for fast load
### Hosting
static-first build on Cloudflare (Pages + Workers)
passkeys scoped to peacefulfoundation.org
only signed JSON updates stored in Cloudflare R2
cheap, fast, reliable, and easy to mirror
store millions+ of small JSON files
reads are cheap + fast via CDN
### Authentication
passkeys only — no passwords or sessions
device signs → server verifies → record saved
server never sees secrets
identity = possession of key, not stored password
### Third-party Sign-in
outside sites (e.g. Calm.College) redirect to passport hub
hub verifies passkey → returns short-lived signed token (~10 min)
tokens verified with published JWKS
each site gets unique user ID (no cross-tracking)
only approved clients allowed
public client directory + visible revocations
### Updating Profile
user edits → device signs JSON update
Worker verifies signature, schema, and expiry
valid updates written to R2
no database sessions required
rate-limited to prevent abuse
### Keys + Recovery
key rotation = signed event (old → new)
recovery through helpers scanning QR in person
cooldown before final recovery completes
all changes logged and visible
panic-hide option for compromised keys
history continuous and transparent
### Offline Proof
device shows QR with one-time challenge
another device scans → verifies signature from profile.json
no internet required
allows in-person verification of identity
### Badges
small JSON records showing contributions
#### What, Where, When, Verified_by
other passports can co-sign for proof
optional link to hex location for map use
contributions visible, not status-based
verification via webhook submission on discord with people reacting
can also have a web portal as the backend
only people who got the badge already, or staff, can verify
### Transparency
every change hashed and logged
checkpoints mirrored (DNS + static page)
steward actions recorded and public
no hidden edits or silent removals
### Privacy
location off by default
can specify which hexagon they're inb
short bios, limited links (safe domains only)
no trackers, ads, or analytics
minimal security logs kept briefly
### Security
CORS locked to approved origins
inputs validated and size-checked
signing keys rotated regularly
token lifetime short
static cache keeps profiles live even if hub offline
## Giving People an Email Addresses
## Why Email
An @peaceful.foundation address is cheap to provide
It gives trusted ambassadors a clear, trusted identity
By cutting features down to the minimum
receive-only mailboxes
lightweight access
We make the service extremely low-cost and easy to scale
## Approach
Receive-only
mail accepted from the internet for peaceful.foundation domains
no outbound SMTP permitted
inbound to other @peaceful.foundation @peaceful.network or @peacefulfoundation.org addresses good and encouraged
(in the future, can also provide other open source services such as matsodon or others)
(this also integrates with peaceful passport, expanded upon later)
JMAP
modern version of IMAP and POP3
much lighter weight and performative
User access
JMAP and webmail for reading
no IMAP, POP3, or SMTP submission
10 digits random username; 1,000,000,000 to 4,294,967,295 for mathematical and scarce assignment
(integrates with peaceful passport)
Cheap as possible
no bloat, no extras
just the core inbox
## Technical Stack
Stalwart Mail Server
handles SMTP inbound and JMAP
modern, modular, written in Rust
designed for high efficiency and low overhead
SMTP inbound
VM pool behind a regional network load balancer
accepts MX traffic only
outbound ports blocked
SPF, DKIM, DMARC checked on inbound
outbound: SPF set to -all, DMARC set to reject
JMAP + webmail
JMAP served on Google Cloud Run for autoscale
global HTTPS load balancer distributes traffic
Storage
FoundationDB cluster for metadata and indexes
3–5 nodes to start, scale to millions of users
Object storage for message bodies and attachments
cheap, durable, unlimited capacity
Outbound traffic reduction
no images or remote media fetched by default
plain-text and minimal HTML views only
small attachments stored, but never auto-loaded
## Pricing
Compute
SMTP VM pool: 3 × e2-small (~$10 each) = ~$30/month
FoundationDB cluster: 5 × e2-standard (~$40 each) = ~$200/month
JMAP + webmail via Cloud Run: ~$40/month (lower traffic, plain-text)
Load balancers
1 global HTTPS + 1 regional NLB = ~$40/month
Storage
1 TB object storage = ~$20/month
FoundationDB disks included in VM costs
Bandwidth
plain-text only, no remote images
reduces user download volume by 30–60%
1 TB user downloads ≈ ~$80/month
Total for 100k users, light traffic
≈ $350–400/month
Total for 1m users, ~7 TB access
≈ $1.5k–2k/month
## Passport Operational Notes
onboarding → open signup; passkeys; no invite/paywall
future → optional steward gifting/vouching
revocation + rotation
users rotate keys anytime
stewards can hide abusive content; actions logged
“panic hide” option for compromised profiles
privacy defaults
location optional, hidden unless enabled
bio capped in length
contributions public in aggregate; logs minimal
links capped, only whitelisted domains
portability → profiles stored as signed JSON, exportable/importable
signatures verifiable outside PF servers
ensures continuity when migrating to [redacted]
governance
stewards can flag/hide abusive profiles, issue verification badges
actions logged in transparency record
long-term → shift from central moderation to distributed steward circles
third party badges