Summary
Add an "Attendee Privacy" toggle that is independent of event visibility (public/unlisted/private). When enabled, only organizers can see who is attending.
Problem
Users want to RSVP to discoverable events without broadcasting their attendance. Current model ties attendance visibility to event visibility:
- Public events → attendance is public (on ATProtocol/firehose)
- Unlisted events → attendance visible to anyone with URL
There's demand for a middle ground: discoverable events where attendance remains private.
Proposed Solution
Add an independent toggle: Attendee Privacy (enabled/disabled)
When attendee privacy is enabled:
- UI: No attendees section shown to non-organizers (or shows "Attendance is private")
- API: Attendee endpoints return 403 or empty for non-organizers
- ATProtocol: Attendance records are NOT published to PDS regardless of event visibility
- Organizers still see full attendee list in dashboard
This creates a clean orthogonal model:
| Event Visibility |
Attendee Privacy |
Use Case |
| Public |
Off |
Social events, networking ("see who's going!") |
| Public |
On |
Discoverable but attendance protected |
| Unlisted |
Off |
Semi-private, attendees can see each other |
| Unlisted |
On |
Support groups, sensitive gatherings |
| Private |
Off |
Exclusive events, guest list is part of appeal |
| Private |
On |
High-security, even invitees don't see each other |
Implementation Notes
- Database: Add
attendee_privacy_enabled: boolean to events table
- Default:
false (current behavior preserved)
- API enforcement required - not just UI hiding
- Consider: Should attendee count be hidden too, or just the list?
Acceptance Criteria
Summary
Add an "Attendee Privacy" toggle that is independent of event visibility (public/unlisted/private). When enabled, only organizers can see who is attending.
Problem
Users want to RSVP to discoverable events without broadcasting their attendance. Current model ties attendance visibility to event visibility:
There's demand for a middle ground: discoverable events where attendance remains private.
Proposed Solution
Add an independent toggle: Attendee Privacy (enabled/disabled)
When attendee privacy is enabled:
This creates a clean orthogonal model:
Implementation Notes
attendee_privacy_enabled: booleanto events tablefalse(current behavior preserved)Acceptance Criteria