Skip to content

RFC: Optional dotNsIdentifier and permissioned external-account access#245

Draft
valentinfernandez1 wants to merge 2 commits into
mainfrom
vf/rfc-dotNs-remove
Draft

RFC: Optional dotNsIdentifier and permissioned external-account access#245
valentinfernandez1 wants to merge 2 commits into
mainfrom
vf/rfc-dotNs-remove

Conversation

@valentinfernandez1

@valentinfernandez1 valentinfernandez1 commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Summary

The account, signing, and statement-store calls that operate on a product account take a
ProductAccountId { dotNsIdentifier, derivationIndex }, and dotNsIdentifier is optional.

  • Omit it and the call addresses the caller's own product. The host resolves the domain from the
    authenticated caller, so the common case only needs a derivationIndex.
  • Supply a domain that names a different product and the call is cross-product access, gated behind a
    new ExternalAccount remote permission. Like ChainSubmit and StatementSubmit, it is triggered
    implicitly the first time a product makes such a call, and the host accepts or rejects based on the
    grant.
// Own account, the common case
await truapi.account.getAccount({ productAccountId: { derivationIndex: 0 } });

// Another product's account, requires the ExternalAccount permission
await truapi.account.getAccount({
  productAccountId: { dotNsIdentifier: "another-product.dot", derivationIndex: 0 },
});

Host-side enforcement of the ExternalAccount permission lives in the host and is not part of this
change. This PR defines the wire types, the permission variant, and the trait documentation.

Drop dotNsIdentifier from the seven local account, signing, and
statement-store request bodies, callers pass only derivationIndex and
the host resolves the caller's own domain.
@valentinfernandez1

Copy link
Copy Markdown
Collaborator Author

Keeping as draft for now as this is a big breaking change and we need to settle on the best versioning strategy for this

@valentunn

Copy link
Copy Markdown
Contributor

The dotNsIdentifier is present there intentionally: some products are interested in requesting accounts of other products

Hard NO from my side

@valentinfernandez1

Copy link
Copy Markdown
Collaborator Author

Thanks for the feedback @valentunn, I was not aware of this requirement since in general we want per product isolation.

Still part of my design still applies, I invite you to read though the issue as this is not necessarily removing it but rather removing it from these calls and creating explicit permissioned calls for products that want to access the user's account in another product.

So if a product wants to access an account that is not from its on product it must be first explicitly be granted permission by the user

@valentinfernandez1

Copy link
Copy Markdown
Collaborator Author

I will refactor this draft though as I realized that there is a simpler way to approach this by keeping the dotNsIdentifier (maybe make it optional) and if the dotNsIdentifier is different from the one on the current product the host can accept or reject the call depending on whether the user has provided ExternalAccountAccees permission (new permission to be added here)

@valentinfernandez1 valentinfernandez1 changed the title RFC: Remove dotNsIdentifier from default account access RFC: Optional dotNsIdentifier and permissioned external-account access Jul 1, 2026
@valentinfernandez1

Copy link
Copy Markdown
Collaborator Author

Refactoring is done, I have also updated the title and description of this Draft to reflect the updated behavior

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants