Editorzero
Open-source, self-hostable AI-native docs platform. Humans and AI agents as peer co-editors. Phase 1: architecture and ADRs.
Ask AI about Editorzero
Powered by Claude Β· Grounded in docs
I know everything about Editorzero. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
AI-native, self-hostable docs. Humans and agents as peer co-editors.
One capability layer. Four surfaces: API Β· CLI Β· MCP Β· Web UI. Full parity, enforced.
π§ͺ A real production experiment in complex agentic engineering. Every line of code, every ADR, every architectural decision is driven end-to-end by Anthropic's new Opus 4.7 model.
Status Β· What It Is Β· Experiment Β· Invariants Β· Parity Β· Roadmap Β· Contributing
π§ Status
Work in progress. No runnable artifact yet. The platform is currently in Phase 3 β verification harness + first slice.
| Phase | What | State |
|---|---|---|
| 0 Β· Orient | Brief, invariants, working assumptions | β Closed |
| 1 Β· Research + ADRs | 20 ADRs, cross-model red-team | β Closed |
| 2 Β· Architecture | End-to-end design, 3 red-team passes (including cross-model) | β Closed |
| 3 Β· Verification harness + first slice | Types / lint / unit / property / contract / e2e β "create doc, read doc" | π In progress |
| 4 Β· Feature slices | Full capability surface across all four adapters | β |
| 5 Β· Hardening + launch | Security pass, load tests, runbook, threat model | β |
Rolling work state in docs/continuation.md.
β¨ What Is editorzero?
editorzero is an open-source, self-hostable, Markdown-first documentation and collaboration platform where human users and AI agents are peer co-editors β not a human product with agent bolted on.
- Agent-first, not agent-retrofitted. Every layer (auth, identity, attribution, audit, quotas, recoverability) treats agents as distinct principals with their own tokens, rate limits, and trace identities.
- Four-surface parity as a hard constraint. API, CLI, MCP server, and Web UI are adapters over a single capability layer. Contract tests enforce the matrix; unchecked type-compatible cells fail the build.
- Markdown round-trip determinism. The CRDT document model maps losslessly to a canonical Markdown AST. Property tests prove
md β crdt β mdis a fixed point. - Deployable with one command. SQLite for single-node self-hosts; Postgres for production (target: 500β1,000 users per instance, design headroom for 10,000).
Editor quality targeted at Linear docs, Notion, Craft.
π§ͺ The Experiment
editorzero is a real production experiment in complex agentic engineering.
Every line of code, every ADR, every architectural decision, every red-team pass is authored end-to-end by Anthropic's new Opus 4.7 (1M-context) under @numman's review at phase boundaries. It is not a demo, not a toy, not assistant-polished human scaffolding β it's a live attempt to see how far a single frontier model can carry a multi-surface, CRDT-backed, audit-complete, self-hostable platform from Phase 0 orientation through production hardening.
What's being stress-tested:
- Autonomous phase progression. Human review at boundaries, not per-commit.
- Self-critique loops. Red-team sub-agents find blockers before they ship (F1βF93 and counting across four passes).
- Independent cross-validation at high stakes. Phase 2's final red-team pass added a second model on the same prompt and caught 3 BLOCKERs the primary review missed β one was invalid SQL that would have shipped otherwise.
- Code-as-spec over prose-as-spec. Types and property tests are canonical; ADRs explain why, not how.
- Drift-prevention. Coherence scripts at pre-commit, registry-derived adapters, single source of truth per concern.
The repo history is the ledger. Every commit is attributable; every architectural decision has an ADR with alternatives considered; every invariant is enforced in code, not prose.
π§ Why This Looks Different
Five reframings shape the architecture. Each one rules out a whole class of shortcuts.
- Agent-first is the whole architecture, not a feature. Retrofitting identity, quotas, and attribution later is how "agent support" becomes a toy.
- Four-surface parity is the center-of-gravity constraint. If any surface has bespoke mutation logic, we've lost. Contract tests generated from the capability registry enforce the matrix.
- Markdown round-trip determinism is the hard test. Editors that model their DOM as "whatever looks right in the browser" fail here. The CRDT must map losslessly to a canonical Markdown AST.
- Humans + agents editing simultaneously = CRDT convergence AND editor correctness. Programmatic edits concurrent with keystrokes cannot flicker, lose cursor state, or corrupt the CRDT.
- Taste is table stakes for docs. Slash commands, table UX, drag-and-drop, paste handling, collab cursors, and hierarchy navigation are where users decide whether to stay.
Full framing in docs/brief.md.
π‘οΈ Hard Invariants
Property tests enforce these from Phase 3 onward. A build that violates one doesn't land.
- Markdown fidelity β per-block Markdown round-trips cleanly under its declared tier.
- Convergence β any mix of concurrent human/agent edits converges across replicas via the CRDT.
- Audit completeness β every mutation produces exactly one audit entry; the audit log alone reconstructs final state.
- Surface parity β every capability exists on every type-compatible surface. No exceptions.
- Permission uniformity β no mutation or tenant-scoped read is reachable without a permission check; no surface re-implements that logic.
- Recoverable soft-delete β soft-deletes are recoverable via a first-class capability; hard-deletes are separate, audited, never silent.
- Single write path β content mutations flow through the CRDT via
ctx.transact(doc_id, fn); metadata mutations are dispatcher-tx-only and enumerated explicitly. - Agent principals are first-class β distinct rate limits, audit attribution, and revocation. Not shared user tokens.
π Four-Surface Parity
One capability layer. Every surface is a generated adapter over it.
| Capability | API | CLI | MCP | Web UI |
|---|---|---|---|---|
doc.list | π‘ | π‘ | π‘ | π‘ |
doc.create | β | β | β | β |
doc.read | β | β | β | β |
doc.rename | β | β | β | β |
doc.publish / unpublish | β | β | β | β |
doc.move | β | β | β | β |
block.set_visibility | β | β | β | β |
collection.* | β | β | β | β |
agent.token.rotate | β | β | β | β |
β¦ full matrix in docs/architecture.md |
Legend: π‘ kernel landed, adapters pending Β· β landed + contract-tested Β· β not yet implemented
Contract tests generated from the capability registry enforce the matrix. Unchecked type-compatible cells fail the build.
β Verification Stack
Every change passes, in order, locally via pre-commit hooks β no separate CI bottleneck at this phase.
- Types β
tsc --noEmitclean across the monorepo - Lint + format β zero warnings (Biome)
- Unit tests β pure logic
- Property tests β CRDT convergence, Markdown fidelity, inverse-restore, permission invariants, capability-matrix parity
- Integration tests β capabilities against real SQLite and real Postgres
- Contract tests β API/CLI/MCP/UI parity matrix, generated from the capability registry
- E2E tests β Playwright +
@axe-core/playwrightfor WCAG 2.1 AA - Smoke deploy β ephemeral
docker composeenv, hit/health, create a doc, tear down - Observability check β traces export, no unexpected error spans
"Fix it in the next commit" is not acceptable; the hook doesn't let it land. Steps 3β9 light up as Phase 3 lands the test harness and the first slice.
πΊοΈ Roadmap
See the phase table in Status. Detailed ordering and current sub-slice lives in docs/continuation.md.
π Documentation
| File | What it holds |
|---|---|
AGENTS.md | Canonical working practices, invariants, verification stack, gotchas |
docs/continuation.md | Rolling work state β current phase, focus, open questions |
docs/brief.md | Phase 0 framing β reframings, invariants, assumptions |
docs/adr/ | One file per architectural decision (0001β0020) + red-team disposition docs |
docs/architecture.md | Phase 2 end-to-end system design |
CONTRIBUTING.md | Contributor onboarding + DCO instructions |
SECURITY.md | Security reporting |
CHANGELOG.md | Per-release notes |
Architectural stack at a glance
| Layer | Choice | ADR |
|---|---|---|
| Backend runtime | Node 22 LTS + TypeScript | 0002 |
| CRDT | Yjs | 0003 |
| Rich-text editor | BlockNote | 0004 |
| UI framework | Next.js 16 | 0005 |
| Realtime transport | Hocuspocus (WebSocket) + stdio/HTTP-SSE for MCP | 0006 |
| Database | Postgres (prod) + SQLite (self-host) via Kysely | 0007 |
| Search | Postgres FTS + pgvector / sqlite-vec | 0008 |
| MCP SDK | Official @modelcontextprotocol/sdk 1.x | 0009 |
| SSO | Better Auth | 0010 |
| Custom domains / TLS | Caddy + ACME | 0011 |
| Deploy artifact | docker compose + single container | 0012 |
| Block model | Per-block Markdown fidelity tiers | 0013 |
| Job queue | pg-boss (prod) / in-process (SQLite) | 0014 |
| Permissions | Capability-layer enforcement, AccessPath.selector reserved | 0015 |
| Principal model | Polymorphic (kind β {user, agent}) | 0016 |
| Soft-delete | First-class recoverable capability | 0017 |
| Write path | Single ctx.transact(doc_id, fn) into the CRDT | 0018 |
| Observability | OpenTelemetry traces, metrics, logs | 0019 |
| Git mirror | Optional read-only git export | 0020 |
π€ Contributing
Direct push to main while it's solo-author + agent. If/when multiple humans contribute, the flow switches to PRs.
- DCO sign-off on every commit (
git commit -s) - Commits are terse and imperative β context + decision + consequence
Co-Authored-Byfooter for AI-assisted commits- Never force-push
main
Full contributor guide in CONTRIBUTING.md; security issues per SECURITY.md.
π Requirements
- Node.js 22 LTS (22.x)
- pnpm 10.x
- Git + DCO sign-off
Production deploys additionally require Postgres β₯ 16 and pgvector β₯ 0.8.2.
π License
AGPL-3.0-only. DCO required on every commit.
License rationale and alternatives considered: ADR 0001.
A production experiment in agentic engineering Β· Driven end-to-end by Anthropic's Opus 4.7