RFC-0011: Contacts API#137
Conversation
| | Permission | Tier | Grants | | ||
| |-----------|------|--------| | ||
| | `Contacts` | 1 | Own-context entries + local info | | ||
| | `ContactsCrossContext` | 2 | Full entries across all contexts | |
There was a problem hiding this comment.
Should these permissions be added in RFC-002?
BigTava
left a comment
There was a problem hiding this comment.
The spec would benefit from an example. Also, there is no mention of privileged access from products like Browse.
|
|
||
| ## Motivation | ||
|
|
||
| Products need to resolve human-readable identities to accounts. Without a contacts API, users must paste raw keys or scan QR codes for every interaction. |
There was a problem hiding this comment.
Can products resolve any account to a human-readable identity? Or just the accounts available in the contacts?
|
|
||
| The host already manages a contact list. Exposing it: | ||
|
|
||
| 1. **Removes friction** — products can show names instead of raw addresses. |
There was a problem hiding this comment.
How is this associated with the user very personal contacts list? Does it apply for any raw address?
Introduce host_contacts_get and host_contacts_subscribe methods. Contacts are scoped by DotNS path (same as Ring VRF context) with two access tiers: own-context (default) and cross-context (privileged).
- Change ContactContext from ProductAccountId to DotNsIdentifier - Clarify this is the user's address book, not a global resolver - Specify Contacts/ContactsCrossContext as DevicePermission variants - Add concrete tier 1 example - Address host-privileged product access (Browse)
bb78e6a to
4701598
Compare
DerivationIndex is needed — a product may have multiple derived accounts under the same DotNsIdentifier.
BigTava
left a comment
There was a problem hiding this comment.
Left some comments. Looks good for a first draft. In general, I think we are missing a bit more detail over how this fits the current Account model and chats list.
| | | | | ||
| | --------------- | --------------------------------------------------------------- | | ||
| | **Start Date** | 2026-04-17 | | ||
| | **Description** | Expose the user's contact list to products via Host API | |
|
|
||
| ## Motivation | ||
|
|
||
| Products need to resolve human-readable identities to accounts. The host manages an address book but does not expose it. Without this API, users must paste raw keys or scan QR codes for every interaction. |
There was a problem hiding this comment.
I don't think this is trying to solve "human-readable identities", but letting products leverage the user' social circle to provide useful features. I think of it as Spotify connecting to your Facebook friends, or WhatsApp reading your phone's contact list.
|
|
||
| Exposing the contact list: | ||
|
|
||
| 1. **Removes friction** — products show names instead of raw addresses. |
There was a problem hiding this comment.
Yes, but not of all raw addresses and names, but very specific to the host list of contacts.
| Exposing the contact list: | ||
|
|
||
| 1. **Removes friction** — products show names instead of raw addresses. | ||
| 2. **Enables cross-product identity** — multiple products resolve the same contact within their respective contexts. |
There was a problem hiding this comment.
Previously we state "cross-context access is a separate privilege". I think what we are trying to unlock is "per-product views of a shared local contact".
|
|
||
| 1. **Removes friction** — products show names instead of raw addresses. | ||
| 2. **Enables cross-product identity** — multiple products resolve the same contact within their respective contexts. | ||
| 3. **Preserves user control** — the host gates access and filters responses to the requesting product's scope. |
There was a problem hiding this comment.
Not exclusive of this RFC. Too generic point.
| Unknown(GenericErr) | ||
| } | ||
|
|
||
| fn host_contacts_get() -> Result<Vec<Contact>, ContactsErr>; |
There was a problem hiding this comment.
Shouldn't this have an argument DotNS identifier. If the identifier matches the current app i.e. user is in host-playground.dot and the app calls host_contacts_get("host-playground") then it falls into tier 1 access, while if host_contacts_get("browse.dot") it falls into the tier 2 access?
|
|
||
| ### Privacy-Preserving Display | ||
|
|
||
| The host can render a contact picker in a privileged overlay using full contact data, returning only the selected contact's own-context entry to the product. This lets users see rich details without the product receiving cross-context data. The overlay mechanism is host-specific and out of scope. |
There was a problem hiding this comment.
I guess this would be an implementation detail related to how the permission modal would render in the UI, no?
| - **Full-list delivery.** No per-contact queries. The overlay pattern partially addresses this for picker UIs. | ||
| - **Read-only.** Products cannot add contacts. Deferred intentionally. | ||
|
|
||
| ## Alternatives |
There was a problem hiding this comment.
Very hard to depict what these alternatives were.
| 3. **Contact mutation.** Write access deferred to a follow-up RFC. | ||
| 4. **Filtered subscriptions.** Should tier 2 `host_contacts_subscribe` accept a context filter? | ||
| 5. **Overlay specification.** The exact overlay mechanism needs its own spec. | ||
| 6. **Pagination.** May be needed for large contact lists. |
There was a problem hiding this comment.
Would Pagination be a problem in terms of query size?
|
|
||
| Breaks unlinkability — any product could correlate aliases across all contexts. | ||
|
|
||
| ## Unresolved Questions |
There was a problem hiding this comment.
I would add "how does a contact end up in the address book to begin with?".
|
closing in favour of paritytech/truapi#17 |
RFC: Contacts API
Summary
Expose the user's contact list to products. Each contact pairs local metadata with a context-scoped map keyed by DotNS path (same as Ring VRF context). Two access tiers: own-context (default) and cross-context (privileged).
Checklist
docs/rfcs/0011-contacts-api.mdwith completed frontmatterdocs/rfcs/_index.mdwith a link to the new RFCrfc,proposalMotivation
Products need to resolve human-readable identities to accounts. The host manages a contact list but does not expose it. This RFC defines
host_contacts_getandhost_contacts_subscribewith a two-tier permission model that preserves unlinkability across product contexts by default.