Skip to content

RFC-0011: Contacts API#137

Closed
filvecchiato wants to merge 3 commits into
release/0.7from
rfc/0011-contacts-api
Closed

RFC-0011: Contacts API#137
filvecchiato wants to merge 3 commits into
release/0.7from
rfc/0011-contacts-api

Conversation

@filvecchiato

Copy link
Copy Markdown
Contributor

RFC: Contacts API

Summary

Expose the user's contact list to products. Each contact pairs local metadata with a context-scoped map keyed by DotNS path (same as Ring VRF context). Two access tiers: own-context (default) and cross-context (privileged).

Checklist

  • Added docs/rfcs/0011-contacts-api.md with completed frontmatter
  • Filled all RFC sections (Summary, Motivation, Detailed Design, Drawbacks, Alternatives, Unresolved Questions)
  • Updated docs/rfcs/_index.md with a link to the new RFC
  • Added labels: rfc, proposal

Motivation

Products need to resolve human-readable identities to accounts. The host manages a contact list but does not expose it. This RFC defines host_contacts_get and host_contacts_subscribe with a two-tier permission model that preserves unlinkability across product contexts by default.

@filvecchiato filvecchiato added rfc Request For Change proposal labels Apr 17, 2026
@TarikGul TarikGul self-requested a review April 17, 2026 19:19
Comment thread docs/rfcs/0011-contacts-api.md
| Permission | Tier | Grants |
|-----------|------|--------|
| `Contacts` | 1 | Own-context entries + local info |
| `ContactsCrossContext` | 2 | Full entries across all contexts |

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these permissions be added in RFC-002?

Comment thread docs/rfcs/0012-account-access-permission.md Outdated

@BigTava BigTava left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The spec would benefit from an example. Also, there is no mention of privileged access from products like Browse.

Comment thread docs/rfcs/0011-contacts-api.md Outdated

## Motivation

Products need to resolve human-readable identities to accounts. Without a contacts API, users must paste raw keys or scan QR codes for every interaction.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can products resolve any account to a human-readable identity? Or just the accounts available in the contacts?

Comment thread docs/rfcs/0011-contacts-api.md Outdated

The host already manages a contact list. Exposing it:

1. **Removes friction** — products can show names instead of raw addresses.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is this associated with the user very personal contacts list? Does it apply for any raw address?

Introduce host_contacts_get and host_contacts_subscribe methods.
Contacts are scoped by DotNS path (same as Ring VRF context) with
two access tiers: own-context (default) and cross-context (privileged).
- Change ContactContext from ProductAccountId to DotNsIdentifier
- Clarify this is the user's address book, not a global resolver
- Specify Contacts/ContactsCrossContext as DevicePermission variants
- Add concrete tier 1 example
- Address host-privileged product access (Browse)
@filvecchiato filvecchiato force-pushed the rfc/0011-contacts-api branch from bb78e6a to 4701598 Compare April 20, 2026 14:57
DerivationIndex is needed — a product may have multiple derived
accounts under the same DotNsIdentifier.

@BigTava BigTava left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some comments. Looks good for a first draft. In general, I think we are missing a bit more detail over how this fits the current Account model and chats list.

| | |
| --------------- | --------------------------------------------------------------- |
| **Start Date** | 2026-04-17 |
| **Description** | Expose the user's contact list to products via Host API |

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT: via TruAPI no?


## Motivation

Products need to resolve human-readable identities to accounts. The host manages an address book but does not expose it. Without this API, users must paste raw keys or scan QR codes for every interaction.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is trying to solve "human-readable identities", but letting products leverage the user' social circle to provide useful features. I think of it as Spotify connecting to your Facebook friends, or WhatsApp reading your phone's contact list.


Exposing the contact list:

1. **Removes friction** — products show names instead of raw addresses.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but not of all raw addresses and names, but very specific to the host list of contacts.

Exposing the contact list:

1. **Removes friction** — products show names instead of raw addresses.
2. **Enables cross-product identity** — multiple products resolve the same contact within their respective contexts.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previously we state "cross-context access is a separate privilege". I think what we are trying to unlock is "per-product views of a shared local contact".


1. **Removes friction** — products show names instead of raw addresses.
2. **Enables cross-product identity** — multiple products resolve the same contact within their respective contexts.
3. **Preserves user control** — the host gates access and filters responses to the requesting product's scope.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not exclusive of this RFC. Too generic point.

Unknown(GenericErr)
}

fn host_contacts_get() -> Result<Vec<Contact>, ContactsErr>;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this have an argument DotNS identifier. If the identifier matches the current app i.e. user is in host-playground.dot and the app calls host_contacts_get("host-playground") then it falls into tier 1 access, while if host_contacts_get("browse.dot") it falls into the tier 2 access?


### Privacy-Preserving Display

The host can render a contact picker in a privileged overlay using full contact data, returning only the selected contact's own-context entry to the product. This lets users see rich details without the product receiving cross-context data. The overlay mechanism is host-specific and out of scope.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this would be an implementation detail related to how the permission modal would render in the UI, no?

- **Full-list delivery.** No per-contact queries. The overlay pattern partially addresses this for picker UIs.
- **Read-only.** Products cannot add contacts. Deferred intentionally.

## Alternatives

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very hard to depict what these alternatives were.

3. **Contact mutation.** Write access deferred to a follow-up RFC.
4. **Filtered subscriptions.** Should tier 2 `host_contacts_subscribe` accept a context filter?
5. **Overlay specification.** The exact overlay mechanism needs its own spec.
6. **Pagination.** May be needed for large contact lists.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would Pagination be a problem in terms of query size?


Breaks unlinkability — any product could correlate aliases across all contexts.

## Unresolved Questions

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add "how does a contact end up in the address book to begin with?".

@filvecchiato

Copy link
Copy Markdown
Contributor Author

closing in favour of paritytech/truapi#17

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

proposal rfc Request For Change

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants