Connected Systems — user-controlled integrations under PCHP
The architectural concept and design principles behind user-controlled integration surfaces (Connected Systems) managed via the central One Dashboard.
TL;DR: Connected Systems represent third-party services and applications integrated into the personal operating layer (One). Managed securely via the One Dashboard under strict PCHP consent boundaries, all data-sharing handshakes, credentials, and synchronized metadata are fully user-controlled and auditable.
Status as of 2026-06-19: see body.
Relations
Overview
Connected Systems represent external third-party applications, enterprise CRM systems, retail platforms, and productivity services that are granted secure, user-authorized access to a user's personal knowledge graph. Managed exclusively via the central One Dashboard (located at /one), this integration pattern shifts the authority of third-party integration from corporate silo databases to the user’s personal vault.
Unlike traditional integration patterns (where applications silently synchronize database records in backend channels), Connected Systems use PCHP (Personal Consent Handshake Protocol) to establish explicit, cryptographic, and duration-bounded handshakes for all data sharing.
The One Dashboard
The One Dashboard acts as the primary cockpit for the Personal Operating Layer. It is a secure, user-owned, and Apple-frame-aligned web/mobile surface that:
- Summarizes active, pending, and revoked data sharing.
- Provides a centralized view of all Connected Systems.
- Hosts the Consent Audit Timeline, offering granular visibility into exact times and reasons a Connected System read or wrote any personal data asset.
- Employs dynamic layout containers and pure-CSS responsive tables for absolute readability across desktop and mobile screens.
Core Architectural Invariants
- User-Held Secrets: Ephemeral access credentials and session tokens required to authenticate with Connected Systems are encrypted client-side using Secure Enclave-backed keys and are stored securely within the user's personal vault.
- PCHP Consent Bounds: A Connected System cannot pull or push data without an active PCHP consent receipt. These receipts detail the exact data fields, purpose (e.g., personal shopping recommendations, CRM contact lookup), and expiration time of the grant.
- No Direct Silo Sync: Third-party integrations communicate through the local user-agent runtime rather than corporate backend channels, guaranteeing that all synchronized data remains subject to the user’s on-device policy engine.
- Audit and Revocation: Every single interaction is logged in the user-visible Consent Audit Timeline. Users can instantly revoke any Connected System, causing immediate database-level purging of all local integration caches and remote token handshakes.