I see that you support basic authentication and oauth is marked as experimental. Authentication is not the core of your project but it's very important if you want that people downloads and use your software for something real, collaborating over the internet instead of playing with it locally.
We are aware that proper security and authentication are core problems to solve for the idea to scale. However, it is also an open (research) question how to do this properly.
Currently we have per-webstrate access right, which means that if you give someone permission to write in one of your webstrates they can do anything with it, e.g. empty its body. It could be interesting if it would be possible to specify what operations you would permit from someone to a webstrate, e.g. "you can only add to this particular unordered list, and the added element must have following form".
Good ideas are welcome.
On those projects we have designers who share their designs on Frontify or Invision. We only have the permission to view and comment. Even in this case is not fine grained, it's on the whole page.
I think this covers the 99% of business cases and possibly more, furthermore page wide permissions are something people is familiar with (least surprise principle) and a degenerate case of fine grained ones.
The tl;dr: Webstrates persist and synchronize changes to the DOM of any page served from the Webstrates server to clients of the same page. Using transclusion through iFrames we can create (a dynamic) application-document like relationships between two pages.
