10 Gates — The Composable Access Model: Who Sees What

"Public or private" is a light switch. It's also where almost every publishing platform stops, which is why almost every creator who needs anything in between ends up duct-taping three services together: the blog, the membership tool, the email gate, each holding a piece of the answer and none of them talking to the others. Three bills, three logins, three databases, and a seam between each pair where content leaks or breaks.

The engine treats access as a first-class property of content instead — a control panel, not a switch. Visibility resolves on three axes that stack, entirely on the server, and the most restrictive rule always wins. This post is the model, because once you see it, the duct tape looks insane.

Axis one: the tier

The first axis is who you are to the site. Three tiers: public (anyone, indexed, the open web), registered readers (someone who created an account and gave you a relationship), and pro (a reader you've granted elevated access). It's the vertical ladder — each rung sees everything the rung below sees, plus more.

This alone replaces the usual "free post / members-only post" split that membership platforms charge a monthly fee to provide. But on its own it's still coarse. A tier knows whether you're logged in and whether you're elevated. It doesn't know which segment you belong to, and it doesn't handle the situational, one-off rules real publishing constantly needs. That's what the other two axes are for, and it's why "tiers" alone — which is all most membership tools offer — leaves you reaching for plugins within a week.

Axis two: the group

The second axis is horizontal. Where tiers stack vertically, groups sit side by side — a cohort, a client, a beta team, an inner circle. A post can be restricted to one or more groups, and group membership is independent of tier. Two pro readers can see completely different content because they're in different groups. A client and a course cohort and your private circle are three parallel audiences, not three rungs on one ladder, and the group axis models them as what they are.

Groups have a property most systems don't think to offer: they can be visible or invisible, and the difference is strategic, not cosmetic.

A visible group's gated post shows up in listings with a "members only" marker. The reader outside the group knows it exists and knows they're locked out — which is sometimes exactly the pull you want. Visible exclusivity advertises that there's an inside worth getting into; the locked door is part of the marketing.

An invisible group's post is simply gone for non-members: absent from listings, absent from the sitemap, absent from the feed, a 404 to anyone outside. Not "you can't read this" — "this does not exist for you." That's the tool for sensitive material, private client deliverables, or anything whose mere existence you don't want to advertise. Having both modes is the difference between a membership tier and an actual access architecture, because real situations need both "flaunt the locked door" and "the door isn't there."

Axis three: the locks

The third axis is a set of per-post locks that stack on top of everything else — the situational rules real content needs, each independent of tier and group:

• Password — a shared secret, independent of any account. Hand it out however you like; revoke it by changing it.
• Secret link — an unguessable URL for content that's technically reachable but practically hidden. No login, no listing, just a key you share deliberately.
• Scheduled publish — invisible until a moment you set, so a launch goes live on time without you awake at the keyboard.
• Early access — a window where elevated readers get it first, then it widens to everyone. Reward your committed audience without permanently walling the content off.
• Geographic rules — allow or block by region, for content that's only relevant, or only appropriate, in certain places.
• Self-destruct — content that expires at a set time and redirects somewhere afterward, for anything that shouldn't outlive its moment.
• Registration wall — readable only after the reader registers, turning a strong piece into a deliberate lead-capture trade.

Any of these can ride on top of any tier and any group. That's where "ten gates" comes from: three tiers, the group axis, and the stack of locks, all composable into one resolved decision.

Most-restrictive-wins, resolved before the page exists

Two design decisions make this trustworthy rather than just clever, and both are about guarantees rather than features.

First: most-restrictive-wins. When rules stack, the engine doesn't try to be helpful and split the difference or pick the most permissive interpretation. It takes the strictest applicable rule and enforces that. A post that's pro-tier and group-restricted and inside an early-access window is visible only to someone who satisfies all three — not to someone who clears just one. This means you can always reason about access by asking a single question: "what's the tightest constraint here?" The answer is always the one that holds. Predictable beats permissive when the thing you're protecting has real value, because the failure mode of "permissive by default" is a leak, and a leak you find out about from the wrong person.

Second, and this is the one that matters most: it resolves on the server, before the page is serialized. A reader who isn't allowed to see the protected body never receives it. The content is stripped on the server, so their view-source is already clean — there's nothing hidden in the markup, no protected text sitting in a collapsed element a determined reader can pop open in dev tools, no "premium" content shipped to the browser and merely styled invisible. The protected bytes never leave the machine.

This is the line between a real boundary and theater. A great many paywalls and "members-only" gates are pure theater — the full content is in the page, and the lock is a JavaScript overlay anyone can bypass by disabling scripts or reading the source. In business terms: your premium content cannot leak through the page here, because it was never sent to the page. That's not a policy you're trusting or a vendor's promise. It's physics you can verify yourself with view-source.

What it actually enables: four scenarios

The model is abstract until you watch one piece of infrastructure do many jobs. Here are four, all with no extra tooling.

The research publication. The teaser is public — indexed, the bait that earns search traffic. The full analysis is registered-readers — the reader trades an email's worth of relationship for the depth. The raw dataset and methodology are pro — your most committed audience. And the operational briefing, the part with real sensitivity, is gated to an invisible group of vetted members and additionally set to self-destruct after the engagement window closes — so it doesn't exist for anyone outside the group, and it's gone for everyone once it's served its purpose. One piece of content, four audiences, four correct realities.

The product company. Marketing pages are public and built for search. The detailed integration docs sit behind a registration wall, so reading them turns an anonymous visitor into a known lead. Customer-only release notes go to a visible group — prospects can see that a paying-customer area exists, which is its own quiet sales pressure. And the security advisory for a specific enterprise client goes to an invisible group of exactly that client's team.

The course operator. Public posts establish authority and rank. The current cohort gets its material via a group gate with early access, so this month's students see each lesson before it widens to alumni. Past cohorts keep access as a visible alumni group. A bonus deep-dive is password-protected and the password is announced live on a call, so only attendees get in — no new infrastructure, just a lock.

The consultant. Public case studies pull inbound. A specific client's deliverables live in an invisible group that's a 404 to everyone else on earth. A time-boxed proposal is shared by secret link and set to self-destruct when the decision window closes, so it can't circulate after it's stale.

Four businesses, one access model, zero bolt-on services. On the usual stack each of those is a blog plus a membership platform plus an email tool plus a manual spreadsheet — four bills, four integration seams, four places for content to leak or break. Here it's three axes and one resolver.

And those four scenarios barely scratch the combinations. Three tiers, an open-ended set of groups in two visibility modes, and seven locks that stack freely don't add up — they multiply. The same content can be public-and-permanent, or registered-with-early-access, or pro-and-group-gated-and-self-destructing, and dozens of other arrangements, each a single resolved decision rather than a custom integration you maintain by hand. That combinatorial range is the real point. A switch gives you two states. A control panel with three independent axes gives you a space large enough that you'll never hit its edges in practice — which means the access model stops being the thing you fight and becomes the thing you reach for. You stop asking "can the platform do this" and start asking "who should see this," which is the only question that was ever actually about your business.

The gates are a sales engine

There's a last point that's easy to miss because it's disguised as a permissions feature: this access model is, quietly, a qualification funnel that runs itself.

Public content does the reach and the ranking, pulling in strangers at scale. Registration walls and reader tiers convert the interested ones into known relationships — names, emails, a reason to come back. Group and pro gates sort the merely curious from the genuinely committed, and they do it through behavior rather than a form: the people who register, return, and qualify for the inner tiers are self-selecting as your real audience and your real prospects. By the time you'd take a sales call, the site has already sorted stranger from reader from member from insider, server-side, automatically, while you slept.

That's what access control looks like when it's an architecture instead of a switch — and it's why owning the gates means owning who sees what and owning who becomes a customer. You're not just protecting content. You're running the funnel in the same machine that publishes it.

And because it's all one system, the funnel has no seams for prospects to fall through. On the duct-taped stack, the handoffs are where you lose people: the reader who clears the blog's gate but never makes it into the separate membership tool, the email captured in one service that never syncs to the access list in another. Every integration boundary is a leak. Collapse the whole thing into one resolver over one database and those leaks close — the visitor who registers is, in the same instant and the same system, the reader who can now see the gated tier. One machine, one source of truth, no gaps between the tools where your hardest-won prospects quietly vanish.

---

Summary

Public or private is a light switch; real publishing needs a control panel. This engine resolves who-sees-what on three stacking axes, entirely on the server.

Three Stacking Axes. Vertical tiers, horizontal groups, and seven situational locks — password, secret link, schedule, early access, geography, self-destruct, registration — compose into one resolved decision.

Visible or Invisible. A gated post can advertise its locked door as marketing — or simply not exist for outsiders: no listing, no sitemap, a 404.

Most-Restrictive-Wins. When rules stack, the strictest one always holds, so access is reasoned about by asking a single question: what's the tightest constraint here?

Enforced in the Wire. Resolution happens server-side before the page is serialized; protected bytes never reach the browser. Physics, not policy.

A Funnel in Disguise. The gates sort stranger from reader from insider automatically — a qualification funnel with no seams for prospects to leak through.