namespace: reshape NameRecord JSON to align with Python resolver

Convergence on the Python resolver shape (PR #1795 `snrc-resolve.py`) so
a names router can be backed either by the direct-ETH-RPC resolver or by
the Python REST resolver without changing the wire format clients see.

Wire-level changes:

- Add `nickname`, `website`, `location`, `simplex.contact`,
  `simplex.channel`, `ETH`, `BTC`, `XMR`, `DOT`, `resolver` (SNRC
  contract address that produced the record); all but `name`, `owner`,
  `resolver` are optional.
- Drop `displayName` (now `name`), `channelLinks`, `contactLinks`,
  `adminAddress`, `adminEmail`, `expiry`, `isTest`.
- The wire NameRecord no longer carries `expiry`; clients trust the
  server's filter. Expiry checking moves into `decodeGetRecord`, which
  now takes a `nowSec :: Int64` argument (the placeholder remains, but
  the field-layout-aware decoder will apply the filter once it lands).
- Testnet status is derived from the queried TLD (`TLDTesting` vs
  `TLDSimplex`) rather than an in-record flag.

Other:

- ToJSON/FromJSON are hand-rolled because Aeson TH doesn't accommodate
  dot-keys (`simplex.contact`) or uppercase coin keys (`ETH`/`BTC`...).
- `NameLink` newtype is removed (no longer used internally); per-field
  byte caps are applied directly in the FromJSON parser.
- Update the canonical-encoding spec in protocol/simplex-messaging.md.

Author: shumvgolove

protocol/simplex-messaging.md

@@ -1493,14 +1493,23 @@ name = %s"NAME" SP json-bytes   ; json-bytes consumes the remainder of the trans
 
 | Field | JSON type | Constraints |
 |---|---|---|
-| `displayName` | string | ≤ 255 bytes UTF-8 |
+| `name` | string | ≤ 255 bytes UTF-8 |
+| `nickname` | string or null | ≤ 255 bytes UTF-8; senders MUST emit `null` when unset; receivers MUST also accept absent keys as unset |
+| `website` | string or null | ≤ 255 bytes UTF-8; same null / absent rules |
+| `location` | string or null | ≤ 255 bytes UTF-8; same null / absent rules |
+| `simplex.contact` | string or null | ≤ 1024 bytes UTF-8; same null / absent rules |
+| `simplex.channel` | string or null | ≤ 1024 bytes UTF-8; same null / absent rules |
+| `ETH` | string or null | ≤ 255 bytes UTF-8; same null / absent rules |
+| `BTC` | string or null | ≤ 255 bytes UTF-8; same null / absent rules |
+| `XMR` | string or null | ≤ 255 bytes UTF-8; same null / absent rules |
+| `DOT` | string or null | ≤ 255 bytes UTF-8; same null / absent rules |
 | `owner` | string | `"0x"` followed by 40 lowercase hex characters (20 raw bytes) |
-| `channelLinks` | array of strings | each ≤ 1024 bytes UTF-8; combined count of `channelLinks + contactLinks` ≤ 8 |
-| `contactLinks` | array of strings | each ≤ 1024 bytes UTF-8; combined count cap shared with `channelLinks` |
-| `adminAddress` | string or null | ≤ 255 bytes UTF-8; senders MUST emit `null` when unset; receivers MUST also accept absent keys as unset |
-| `adminEmail` | string or null | ≤ 255 bytes UTF-8; senders MUST emit `null` when unset; receivers MUST also accept absent keys as unset |
-| `expiry` | integer | Int64 Unix seconds, MUST be ≥ 0; `0` means "never expires" |
-| `isTest` | boolean | true on testnet deployments |
+| `resolver` | string | `"0x"` followed by 40 lowercase hex characters; the SNRC contract address that produced the record |
+
+The server MUST filter expired records before constructing the response
+(returning `ERR AUTH` to the client), so the wire format carries no expiry
+field. Testnet-vs-mainnet status is derived from the queried TLD rather than
+an in-record flag.
 
 Receivers MUST tolerate extra unknown fields (forward-compatibility for future
 field additions). Adding a required field is a breaking change requiring an
@@ -1511,8 +1520,8 @@ producing the same `NameRecord` MUST emit byte-identical JSON: emit object
 keys in the order listed above, integers without decimal points, no
 insignificant whitespace.
 
-**Wire-size budget.** A maximal `nameRecord` (8 × 1024-byte links plus
-maximal admin / display strings) JSON-encodes to roughly 9 KB, well under the
+**Wire-size budget.** A maximal `nameRecord` (two 1024-byte SimpleX links
+plus the other capped strings) JSON-encodes to roughly 4 KB, well under the
 SMP proxied transmission budget of 16224 bytes.
 
 ## Transport connection with the SMP router

src/Simplex/Messaging/Protocol.hs

@@ -168,9 +168,6 @@ module Simplex.Messaging.Protocol
     NameOwner,
     mkNameOwner,
     unNameOwner,
-    NameLink,
-    mkNameLink,
-    unNameLink,
     MsgFlags (..),
     initialSMPClientVersion,
     currentSMPClientVersion,
@@ -774,80 +771,79 @@ instance J.FromJSON RslvRequest where
     contract <- o J..: "contract"
     pure RslvRequest {name, contract}
 
--- | A name-record link (channel or contact). Bare constructor not exported;
--- use `mkNameLink` to enforce the ≤1024-byte UTF-8 invariant.
-newtype NameLink = NameLink Text
-  deriving (Eq, Show)
-
-mkNameLink :: Text -> Either String NameLink
-mkNameLink t
-  | B.length (encodeUtf8 t) <= 1024 = Right (NameLink t)
-  | otherwise = Left "NameLink too long"
-
-unNameLink :: NameLink -> Text
-unNameLink (NameLink t) = t
-{-# INLINE unNameLink #-}
-
-instance J.ToJSON NameLink where
-  toJSON (NameLink t) = J.toJSON t
-
-instance J.FromJSON NameLink where
-  parseJSON = J.withText "NameLink" (either fail pure . mkNameLink)
-
 -- | Resolved name record returned by the names role.
 --   Wire format is JSON — change requires an SMP version bump.
+--   JSON keys match the Python resolver (PR #1795 `snrc-resolve.py`) so the
+--   same server can be backed by either the direct-ETH-RPC resolver or the
+--   Python REST resolver without changing the wire format clients see.
 data NameRecord = NameRecord
-  { nrDisplayName :: Text,
+  { nrName :: Text,
+    nrNickname :: Maybe Text,
+    nrWebsite :: Maybe Text,
+    nrLocation :: Maybe Text,
+    nrSimplexContact :: Maybe Text,
+    nrSimplexChannel :: Maybe Text,
+    nrEth :: Maybe Text,
+    nrBtc :: Maybe Text,
+    nrXmr :: Maybe Text,
+    nrDot :: Maybe Text,
     nrOwner :: NameOwner,
-    nrChannelLinks :: [NameLink],
-    nrContactLinks :: [NameLink],
-    nrAdminAddress :: Maybe Text,
-    nrAdminEmail :: Maybe Text,
-    nrExpiry :: Int64, -- Unix seconds, ≥ 0
-    nrIsTest :: Bool
+    nrResolver :: NameOwner -- SNRC contract address that produced the record
   }
   deriving (Eq, Show)
 
+-- Hand-rolled JSON instances: dot-keys ("simplex.contact", "simplex.channel")
+-- and uppercase coin keys ("ETH", "BTC", "XMR", "DOT") fall outside Aeson TH's
+-- field-label conventions.
 instance J.ToJSON NameRecord where
-  toJSON NameRecord {nrDisplayName, nrOwner, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail, nrExpiry, nrIsTest} =
+  toJSON NameRecord {nrName, nrNickname, nrWebsite, nrLocation, nrSimplexContact, nrSimplexChannel, nrEth, nrBtc, nrXmr, nrDot, nrOwner, nrResolver} =
     J.object
-      [ "displayName" J..= nrDisplayName,
+      [ "name" J..= nrName,
+        "nickname" J..= nrNickname,
+        "website" J..= nrWebsite,
+        "location" J..= nrLocation,
+        "simplex.contact" J..= nrSimplexContact,
+        "simplex.channel" J..= nrSimplexChannel,
+        "ETH" J..= nrEth,
+        "BTC" J..= nrBtc,
+        "XMR" J..= nrXmr,
+        "DOT" J..= nrDot,
         "owner" J..= nrOwner,
-        "channelLinks" J..= nrChannelLinks,
-        "contactLinks" J..= nrContactLinks,
-        "adminAddress" J..= nrAdminAddress,
-        "adminEmail" J..= nrAdminEmail,
-        "expiry" J..= nrExpiry,
-        "isTest" J..= nrIsTest
+        "resolver" J..= nrResolver
       ]
   -- explicit toEncoding to preserve the spec-documented key order; the default
   -- routes through Value/KeyMap and re-emits keys alphabetically, breaking the
   -- "two routers MUST emit byte-identical JSON" requirement.
-  toEncoding NameRecord {nrDisplayName, nrOwner, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail, nrExpiry, nrIsTest} =
+  toEncoding NameRecord {nrName, nrNickname, nrWebsite, nrLocation, nrSimplexContact, nrSimplexChannel, nrEth, nrBtc, nrXmr, nrDot, nrOwner, nrResolver} =
     J.pairs $
-      "displayName" J..= nrDisplayName
+      "name" J..= nrName
+        <> "nickname" J..= nrNickname
+        <> "website" J..= nrWebsite
+        <> "location" J..= nrLocation
+        <> "simplex.contact" J..= nrSimplexContact
+        <> "simplex.channel" J..= nrSimplexChannel
+        <> "ETH" J..= nrEth
+        <> "BTC" J..= nrBtc
+        <> "XMR" J..= nrXmr
+        <> "DOT" J..= nrDot
         <> "owner" J..= nrOwner
-        <> "channelLinks" J..= nrChannelLinks
-        <> "contactLinks" J..= nrContactLinks
-        <> "adminAddress" J..= nrAdminAddress
-        <> "adminEmail" J..= nrAdminEmail
-        <> "expiry" J..= nrExpiry
-        <> "isTest" J..= nrIsTest
+        <> "resolver" J..= nrResolver
 
 instance J.FromJSON NameRecord where
   parseJSON = J.withObject "NameRecord" $ \o -> do
-    nrDisplayName <- o J..: "displayName" >>= capUtf8 "displayName" 255
+    nrName <- o J..: "name" >>= capUtf8 "name" 255
+    nrNickname <- o J..:? "nickname" >>= traverse (capUtf8 "nickname" 255)
+    nrWebsite <- o J..:? "website" >>= traverse (capUtf8 "website" 255)
+    nrLocation <- o J..:? "location" >>= traverse (capUtf8 "location" 255)
+    nrSimplexContact <- o J..:? "simplex.contact" >>= traverse (capUtf8 "simplex.contact" 1024)
+    nrSimplexChannel <- o J..:? "simplex.channel" >>= traverse (capUtf8 "simplex.channel" 1024)
+    nrEth <- o J..:? "ETH" >>= traverse (capUtf8 "ETH" 255)
+    nrBtc <- o J..:? "BTC" >>= traverse (capUtf8 "BTC" 255)
+    nrXmr <- o J..:? "XMR" >>= traverse (capUtf8 "XMR" 255)
+    nrDot <- o J..:? "DOT" >>= traverse (capUtf8 "DOT" 255)
     nrOwner <- o J..: "owner"
-    nrChannelLinks <- o J..: "channelLinks"
-    nrContactLinks <- o J..: "contactLinks"
-    when (length nrChannelLinks + length nrContactLinks > 8) $
-      fail "combined channelLinks + contactLinks > 8"
-    nrAdminAddress <- o J..:? "adminAddress" >>= traverse (capUtf8 "adminAddress" 255)
-    nrAdminEmail <- o J..:? "adminEmail" >>= traverse (capUtf8 "adminEmail" 255)
-    nrExpiry <- o J..: "expiry"
-    when (nrExpiry < 0) $ fail "expiry must be non-negative"
-    nrIsTest <- o J..: "isTest"
-    pure NameRecord {nrDisplayName, nrOwner, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail, nrExpiry, nrIsTest}
+    nrResolver <- o J..: "resolver"
+    pure NameRecord {nrName, nrNickname, nrWebsite, nrLocation, nrSimplexContact, nrSimplexChannel, nrEth, nrBtc, nrXmr, nrDot, nrOwner, nrResolver}
     where
       capUtf8 fld lim t
         | B.length (encodeUtf8 t) <= lim = pure t

src/Simplex/Messaging/Server/Names.hs

@@ -41,7 +41,7 @@ import Data.Text.Encoding (encodeUtf8)
 import Data.Time.Clock.POSIX (getPOSIXTime)
 import Simplex.Messaging.Encoding.String (strDecode)
 import Simplex.Messaging.Util (eitherToMaybe)
-import Simplex.Messaging.Protocol (NameOwner, NameRecord (..), RslvRequest (..), unNameOwner)
+import Simplex.Messaging.Protocol (NameOwner, NameRecord, RslvRequest (..), unNameOwner)
 import Simplex.Messaging.Server.Names.Eth.RPC (EthRpcEnv, EthRpcError (..), RpcAuth (..), closeEthRpcEnv, ethCallReal, newEthRpcEnv)
 import Simplex.Messaging.Server.Names.Eth.SNRC (decodeAddress, decodeGetRecord, encodeGetRecord, isZeroOwner, namehash)
 import Simplex.Messaging.SimplexName (SimplexNameDomain (..), SimplexTLD (..), fullDomainName)
@@ -166,34 +166,27 @@ resolveName env contract d = do
           pure (Left EthHttpErr)
 
 fetch :: NamesEnv -> NameOwner -> SimplexNameDomain -> IO (Either ResolveError NameRecord)
-fetch env@NamesEnv {ethCall} contract d =
+fetch env@NamesEnv {ethCall} contract d = do
+  nowSec <- floor <$> getPOSIXTime
   ethCall (unNameOwner contract) (encodeGetRecord (namehash (encodeUtf8 (fullDomainName d)))) >>= \case
     Left e -> pure (Left (mapEthRpcError e))
-    Right ret -> case decodeGetRecord ret of
+    Right ret -> case decodeGetRecord nowSec ret of
       Right Nothing -> notFoundWithPlaceholderWarn ret
-      Right (Just rec) -> checkExpiry rec
+      Right (Just rec) -> pure (Right rec)
       Left _ -> pure (Left EthDecodeErr)
   where
     -- decodeGetRecord is currently a placeholder: it returns Right Nothing
     -- for BOTH "zero-owner sentinel" (real NotFound) and "non-zero owner
     -- with real data but no ABI decoder yet". Inspect the owner slot
     -- directly to distinguish, and surface the latter once per process so
     -- an operator who enables [NAMES] against a working SNRC contract sees
-    -- the resolver is functionally stubbed.
+    -- the resolver is functionally stubbed. Expired records are filtered
+    -- inside the decoder (using the `nowSec` argument) so the wire
+    -- NameRecord never carries an expiry field.
     notFoundWithPlaceholderWarn ret = do
       forM_ (eitherToMaybe (decodeAddress 32 ret)) $ \owner ->
         unless (isZeroOwner owner) (warnPlaceholderOnce env)
       pure (Left NotFound)
-    -- Defense in depth: the SNRC contract should already return the
-    -- zero-owner sentinel for expired records, but a buggy / pre-upgrade
-    -- contract might not. nrExpiry == 0 means "never expires" (reserved
-    -- names); any positive expiry in the past is treated as NotFound.
-    checkExpiry rec = do
-      nowSec <- floor <$> getPOSIXTime
-      pure $
-        if nrExpiry rec /= 0 && nrExpiry rec < nowSec
-          then Left NotFound
-          else Right rec
 
 warnPlaceholderOnce :: NamesEnv -> IO ()
 warnPlaceholderOnce NamesEnv {placeholderWarned} = do

src/Simplex/Messaging/Server/Names/Eth/SNRC.hs

@@ -170,17 +170,24 @@ decodeStringArray depth headEnd off cntCap byteCap buf
 
 -- | Decode the ABI-encoded return value of getRecord(bytes32) into a NameRecord.
 -- Zero-owner (0x000...000) is reported as Right Nothing so the caller maps it
--- to NotFound (ENS-style sentinel).
+-- to NotFound (ENS-style sentinel). Records whose on-chain expiry is in the
+-- past are also reported as Right Nothing — clients trust the server's filter
+-- and the wire NameRecord carries no expiry field.
+--
+-- `nowSec` is the current Unix time the caller wants the expiry compared
+-- against. Pass `0` to disable the expiry check.
 --
 -- PLACEHOLDER: returns Right Nothing for any non-zero owner until the Part 1
 -- SNRC contract ABI is finalised. All ABI primitives above are production-ready;
--- only the field-layout-aware composition is pending.
-decodeGetRecord :: ByteString -> Either AbiError (Maybe NameRecord)
-decodeGetRecord buf
+-- only the field-layout-aware composition (and the expiry slot read) is
+-- pending.
+decodeGetRecord :: Int64 -> ByteString -> Either AbiError (Maybe NameRecord)
+decodeGetRecord _nowSec buf
   | B.length buf < 32 * 8 = Left AbiTruncated
   -- Both arms return Nothing today: the zero-owner branch is the real ENS-style
-  -- NotFound sentinel; the non-zero branch is the SNRC-ABI placeholder. They
-  -- separate once the field-layout decoder lands.
+  -- NotFound sentinel; the non-zero branch is the SNRC-ABI placeholder (which
+  -- will also apply the `_nowSec` expiry filter once the field layout lands).
+  -- They separate once the field-layout decoder ships.
   | otherwise = Nothing <$ decodeAddress 32 buf
 
 isZeroOwner :: NameOwner -> Bool