4.0 KiB
4.0 KiB
06. Twilio Lookup and Phone Reputation API Integration
meta: id: core-services-06 feature: core-services-implementation priority: P1 depends_on: [core-services-01] tags: [spamshield, reputation, twilio, caller-id, api-integration, table-stakes]
objective:
- Replace the stub Hiya/Truecaller lookup functions that return
{ score: 0, isSpam: false }with real phone reputation API integrations (Twilio Lookup) and integrate results into the spam classification pipeline.
deliverables:
- Twilio Lookup API client for caller name, line type, and carrier info
- Phone reputation scoring system with caching
- Integration with existing rule engine (reputation score augments rule-based decisions)
- STIR/SHAKEN attestation verification (if carrier partnership available)
- Rate-limited, cost-aware API usage
steps:
- Sign up for Twilio account and enable Lookup API at https://www.twilio.com/lookup
- Add
TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKENto.env.example - Create
spamshield/twilio.client.ts:lookupPhone(phoneNumber, type?)— caller name, line type (mobile/landline/VoIP), carrierlookupReputation(phoneNumber)— spam risk score, call volume, report countsverifyStirShaken(phoneNumber)— attestation level (A/B/C) if available
- Replace stub
lookupHiya()andlookupTruecaller()inreputation.api.tswith real Twilio calls - Implement reputation scoring algorithm:
- Twilio spam risk score (0–100) mapped to internal confidence (0.0–1.0)
- Line type weighting: VoIP = higher risk, landline = lower risk
- Carrier reputation: known spam carriers = +20 risk
- STIR/SHAKEN attestation: Full attestation (A) = -30 risk, None (C) = +20 risk
- Cache results in Redis with 24h TTL (phone numbers don't change reputation rapidly)
- Wire into
spamshield.service.ts:- Before rule engine, check reputation
- If reputation confidence > 0.7, block immediately
- If reputation confidence 0.4–0.7, flag for review
- If reputation confidence < 0.4, proceed to rule engine + ML classifier
- Add cost tracking: $0.004–$0.03 per lookup, track monthly usage per user
- Implement fallback: if Twilio API fails, use internal rule engine only (graceful degradation)
tests:
- Unit: Mock Twilio API responses, verify reputation scoring algorithm
- Integration: Test with real Twilio Lookup API using known spam number
- E2E: Submit spam check for phone number → verify reputation lookup → get classification result
acceptance_criteria:
lookupPhone()makes real HTTP request to Twilio Lookup API- Reputation scores are calculated from real Twilio data (not hardcoded zeros)
- High-reputation numbers (confidence > 0.7) trigger automatic block without rule/ML processing
- Cache stores reputation results for 24 hours, reducing API costs
- Twilio API failures gracefully fall back to rule engine (no crashes)
- Cost tracking records each lookup for billing analytics
- STIR/SHAKEN attestation is checked and factored into score when available
- VoIP lines get +20 risk weighting compared to landline
- Internal DB cache (
lookupInternalDB) is checked before Twilio API call - Rate limits: max 100 lookups/minute per user to prevent abuse
validation:
- Run
vitest run spamshield.service.test.ts— all tests pass - Manual: Check reputation for known spam number (e.g., reported robocall number), verify high score
- Check cache: Redis
GET spamshield:reputation:+15551234567returns cached result - Monitor cost: Database shows lookup usage per user per month
notes:
- Twilio Lookup costs $0.004 per basic lookup, $0.03 per advanced lookup (reputation, caller name)
- At 100 lookups/user/month, cost is $0.40–$3.00 per user — manageable at $12+/mo ARPU
- Hiya and Truecaller have proprietary APIs but require carrier partnerships — Twilio is the best consumer-accessible option
- STIR/SHAKEN requires telecom partner for full attestation data — implement if/when partnership exists
- The existing rule engine (
ruleEngine()) is functional — reputation augments it, doesn't replace it