Moderation

Synced from docs/MODERATION.md·Last updated: 2026-05-12

Koven runs standard admin moderation — kick, ban, redact, change power levels — gated by Matrix power levels under the hood. The Koven part is the rule the protocol enforces on top: every moderation action lands in an append-only log readable by every member of the room. Admins exist, they have real authority, and there is no secret moderation. If someone got banned, the log says so. If a message got redacted, the log says so. With the actor's mxid, the reason, and a timestamp, forever.

Core principles

Admins exist. Spaces have owners. Owners can promote others to admin or moderator. Roles are real and bring real powers. Koven is not a vote-only-no-mods experiment.
Every moderation action is visible to every member. Append-only, append-only, append-only. Kicks, bans, redactions, role changes, dismissed reports, member-submitted reports, self-deletions, bot kicks and bans — all of it. No edits, no deletes. The room's mod log is the single canonical record of who did what.
Federation is off. A Koven instance is a self-contained community. It doesn't federate with other Koven instances or with vanilla Matrix homeservers. Cross-server moderation is moot here; what happens on your instance stays on your instance.
Bots fit the same model. Bot kicks and bans go through the same PL-gated path with one extra affordance: a space owner can remove a bot from their space with one click, and the bot's owner can pull their own bot from a space they don't moderate via the bot's own token.

Roles

Koven uses Matrix's standard power-level system. The shorthand:

Role	PL	Can do
Member	0	Send messages. Report content. Self-delete own messages.
Moderator	50	Everything a member can do, plus: kick from space, ban / unban from space, redact any message, promote others up to PL 50, demote others at PL ≤ 50.
Owner / Admin	100	Everything a moderator can do, plus: promote others up to PL 100, edit space settings, manage categories, delete the space.

The space's creator gets PL 100 on creation. Synapse enforces the standard rule that you can't promote someone above your own level — a moderator can't make another moderator, but an owner can.

Every role change is itself a logged event. Promoting someone to admin in a public room is a public act.

Moderation primitives

Kick

Space-wide. Removes a member from every room in the space at once (Discord-style — one click, gone everywhere). They can be re-invited or, for public rooms, rejoin on their own. Logged as a kick entry in every affected room's mod log, with the actor, target, "Space-wide" reason marker, and timestamp.

Ban

Space-wide. Removes a member from every room AND prevents rejoining anywhere in the space. Sticky — they can't accept new invites to any room in the space until unbanned. Logged as a ban entry in each affected room's mod log.

Unban

Reverses a ban across the whole space. The user can be re-invited again. Logged as unban in every room where the ban is lifted.

Redact (admin-side)

Removes the content of any message in the room. The Matrix event id stays in the timeline (as a stub); the content is gone for every device, every client. Distinct from a user's self-delete because the actor is the admin, not the message author — the log entry records this explicitly so members can see when an admin removed content versus when the author retracted it themselves.

Change power level

Space-wide. Promotes or demotes another member to Moderator (PL 50) or Admin (PL 100) — or resets them to a regular member (PL 0) — across every room in the space at once. Bounded by your own PL: you can grant up to your own level, never higher. Logged as role_change in every affected room's mod log with the new level and a "Space-wide" reason marker. Roles are server-wide in Koven (Discord-style); there's no per-channel role concept.

Reports

Any member can report any message or any room. The flow:

Open the report dialog. Hover a message → flag icon. Pick a category (harassment, spam, off-topic, floor violation). Add a brief rationale. Submit.
The report lands in the admin queue. Admins see open reports in a dedicated sheet (shield icon in the sidebar, badged with the open count). Each entry shows the reporter, category, rationale, and a link to open the target in context.
An admin acts on the report. They can open the message in the room, then kick / ban / redact via the standard primitives above. Or they can dismiss the report if they disagree.
The report and the resulting action both land in the public mod log. The reporter is named (no anonymous reports — sunlight goes both ways). The admin's action and reason are named too.

Reports are not a vote. They surface to admins for triage. The admin is the one who decides what happens. The log is what makes that decision accountable.

Floor violation reports

One category — floor_violation — is reserved for CSAM, credible threats, and doxxing. These reports surface with higher priority in the admin queue, and the dialog warns the reporter that false floor reports waste admin time. The action set is the same (kick / ban / redact) — there's no separate "fast track" anymore; the priority is the only difference.

The public mod log

Every room has a mod log accessible from the chat header (the scale icon). It surfaces every moderation event in the room, append-only, oldest at the top. What you'll find:

Kicks, bans, unbans, redactions, role changes — with actor mxid, target, reason, timestamp.
Self-deletions — when a member deleted their own message, with timestamp.
Bot kicks and bans — when a space owner removed a bot from the room.
Member reports — who reported what, when, with what rationale, and what state the report is in (open, dismissed, actioned).

Nothing can be edited or removed from the log. If an action turns out to be wrong, the correction is a new entry on top of the old one — the original action stays visible. There's no rewind button. The log is the truth.

What this prevents, what it doesn't

Prevents:

Hidden bans. If you got banned, the log says who did it and why.
Quiet redactions. The content is gone, but the fact of the redaction stays visible.
Promotion drift. Every role change is on the record.
"Mods deleted the evidence" — they didn't, the log shows them deleting it.

Does not prevent:

An admin acting unilaterally. The check isn't a vote; the check is that the action is visible forever. If an admin acts in bad faith, the log is the record members use to call them out — or to leave the space and tell other people why.
A community choosing bad admins. Koven doesn't tell a community who to promote.
Real-time abuse during a voice / video call. Calls aren't a moderation surface — there's no log of what was said in audio. Members handle it the usual way: leave, reconvene without the bad actor.
Content posted in encrypted rooms being indexed for member reports. The engine can't read encrypted content, so the per-message report path is hidden in encrypted spaces. Standard admin moderation (kick / ban / role change) still works there — those go through Synapse's PL system, which doesn't care about encryption.

Why we moved on from consensus moderation

An earlier version of Koven tried to do moderation by community vote — distinct flaggers, weighted by a reputation score, with thresholds that scaled with the room's size. It was an interesting design. It also didn't work in practice for reasons that became obvious once we'd built it: spam needs to be removed in seconds, not by quorum; reputation is gameable with time; brigading is hard to defend against without a trust root; and most people running a community want to be able to act on bad behaviour without convening a tribunal first. The voting machinery competed with the obvious thing — let the people who run the community run it — and made the obvious thing harder to do.

The one part of the old design that survived is the part that always mattered: moderation actions are visible to everyone in the room, forever. That was true under the consensus model and it's true under this one. The model changed; the transparency rule didn't.

Bot moderation

Bots are users, but with one extra affordance for space owners: a single-click kick / ban from a space that cascades across every joined child room. Same PL gate as human moderation; same log entry shape. Bots that you own can be removed by you from any space, regardless of whether you moderate that space — the bot does a voluntary leave under its own token, no PL required.

← Back to the homepage