ai-memory 0.7.1

AI-agnostic persistent memory system — MCP server, HTTP API, and CLI for any AI platform
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362

// Copyright 2026 AlphaOne LLC
// SPDX-License-Identifier: Apache-2.0

//! The node's own *outbound* federation credential — the one it presents
//! on the wire (`X-Memory-Cred`) so peers verify its per-message signature
//! against the trust bundle instead of a manually enrolled `.pub`.
//!
//! P3a held this in a boot-once `OnceLock<Option<SignedCredential>>` read
//! directly inside `post_once` — correct but frozen at first read, so a
//! renewed credential on disk was never picked up. This module replaces
//! that with a *reloadable* holder: a snapshot is taken per outbound POST
//! ([`current`]), and the P3b renewal worker swaps a fresh credential in
//! ([`store`] / [`reload_from_env`]) without restarting the daemon.
//!
//! The hot-path read returns an `Arc` snapshot so attaching the header
//! never clones the credential bytes and never holds the lock across the
//! network send.

use std::sync::{Arc, OnceLock, RwLock};

use super::credential::SignedCredential;

/// A reloadable slot holding zero-or-one outbound credential plus the
/// node's anchor-first intermediate CA certs (empty ⇒ a direct, root-signed
/// leaf — the P2/P3 one-level posture).
///
/// Separated from the process-global singleton ([`global`]) so the
/// swap/snapshot semantics are unit-testable without touching global
/// state. The lock is never held across a network send — callers take an
/// `Arc` snapshot and drop the guard immediately.
///
/// The leaf and intermediates live in independent slots because they rotate
/// on different cadences: the leaf is short-lived (≈1h) and renewed by the
/// file-refresh worker, while an intermediate CA cert is long-lived (≈1d)
/// and stable across many leaf renewals. Swapping the leaf must not clobber
/// the intermediates, so [`store`](Self::store) touches only the leaf slot.
#[derive(Debug)]
pub struct OutboundCredentialHolder {
    inner: RwLock<Option<Arc<SignedCredential>>>,
    intermediates: RwLock<Arc<Vec<SignedCredential>>>,
}

impl OutboundCredentialHolder {
    /// Construct a holder seeded with an initial credential (or none) and no
    /// intermediates (a direct leaf).
    #[must_use]
    pub fn new(initial: Option<SignedCredential>) -> Self {
        Self {
            inner: RwLock::new(initial.map(Arc::new)),
            intermediates: RwLock::new(Arc::new(Vec::new())),
        }
    }

    /// Construct a holder seeded with both a leaf and anchor-first
    /// intermediates (a hierarchical posture).
    #[must_use]
    pub fn with_chain(
        initial: Option<SignedCredential>,
        intermediates: Vec<SignedCredential>,
    ) -> Self {
        Self {
            inner: RwLock::new(initial.map(Arc::new)),
            intermediates: RwLock::new(Arc::new(intermediates)),
        }
    }

    /// Take a cheap `Arc` snapshot of the currently-held credential.
    /// `None` = this node holds no credential and presents only its
    /// per-message signature (receiver falls back to per-peer `.pub`).
    #[must_use]
    pub fn current(&self) -> Option<Arc<SignedCredential>> {
        self.read_guard().clone()
    }

    /// Take a cheap `Arc` snapshot of the held anchor-first intermediates.
    /// An empty list = a direct leaf (no [`CHAIN_HEADER`] is emitted).
    ///
    /// [`CHAIN_HEADER`]: super::chain::CHAIN_HEADER
    #[must_use]
    pub fn current_intermediates(&self) -> Arc<Vec<SignedCredential>> {
        self.intermediates_read_guard().clone()
    }

    /// Atomically replace the held credential — the renewal worker calls
    /// this after minting / loading a fresh one. A subsequent [`current`]
    /// observes the new value; in-flight snapshots keep their old `Arc`.
    /// Leaves the intermediates slot untouched.
    ///
    /// [`current`]: Self::current
    pub fn store(&self, cred: Option<SignedCredential>) {
        *self.write_guard() = cred.map(Arc::new);
    }

    /// Atomically replace the held intermediates (the slower-rotating
    /// intermediate-CA refresh path). Leaves the leaf slot untouched.
    pub fn store_intermediates(&self, intermediates: Vec<SignedCredential>) {
        *self.intermediates_write_guard() = Arc::new(intermediates);
    }

    fn read_guard(&self) -> std::sync::RwLockReadGuard<'_, Option<Arc<SignedCredential>>> {
        // Poison from a panic elsewhere must not wedge the federation
        // send path — recover the inner value rather than propagate.
        self.inner
            .read()
            .unwrap_or_else(std::sync::PoisonError::into_inner)
    }

    fn write_guard(&self) -> std::sync::RwLockWriteGuard<'_, Option<Arc<SignedCredential>>> {
        self.inner
            .write()
            .unwrap_or_else(std::sync::PoisonError::into_inner)
    }

    fn intermediates_read_guard(
        &self,
    ) -> std::sync::RwLockReadGuard<'_, Arc<Vec<SignedCredential>>> {
        self.intermediates
            .read()
            .unwrap_or_else(std::sync::PoisonError::into_inner)
    }

    fn intermediates_write_guard(
        &self,
    ) -> std::sync::RwLockWriteGuard<'_, Arc<Vec<SignedCredential>>> {
        self.intermediates
            .write()
            .unwrap_or_else(std::sync::PoisonError::into_inner)
    }
}

/// Load the held credential named by `AI_MEMORY_FED_CRED_PATH`, logging
/// (not propagating) a load fault — an unreadable/garbled credential file
/// must degrade to "hold nothing" (legacy per-peer path), never crash the
/// daemon or partition the hive.
fn load_from_env_logged() -> Option<SignedCredential> {
    SignedCredential::load_from_env().unwrap_or_else(|e| {
        tracing::warn!(target: crate::federation::SIGNING_TRACE_TARGET, error = %e,
            "failed to load outbound federation credential; presenting per-message signature only");
        None
    })
}

/// Load the held intermediates named by `AI_MEMORY_FED_CRED_CHAIN_PATH`,
/// logging (not propagating) a load fault — an unreadable/garbled chain file
/// must degrade to "hold no intermediates" (direct-leaf path), never crash
/// the daemon.
fn load_intermediates_from_env_logged() -> Vec<SignedCredential> {
    super::chain::load_intermediates_from_env().unwrap_or_else(|e| {
        tracing::warn!(target: crate::federation::SIGNING_TRACE_TARGET, error = %e,
            "failed to load outbound federation intermediate chain; presenting a direct leaf only");
        Vec::new()
    })
}

/// The process-wide outbound credential holder, seeded once from
/// `AI_MEMORY_FED_CRED_PATH` (leaf) + `AI_MEMORY_FED_CRED_CHAIN_PATH`
/// (intermediates) on first access.
fn global() -> &'static OutboundCredentialHolder {
    static GLOBAL: OnceLock<OutboundCredentialHolder> = OnceLock::new();
    GLOBAL.get_or_init(|| {
        OutboundCredentialHolder::with_chain(
            load_from_env_logged(),
            load_intermediates_from_env_logged(),
        )
    })
}

/// The process-wide holder, for the renewal worker to refresh in place.
#[must_use]
pub fn shared() -> &'static OutboundCredentialHolder {
    global()
}

/// Snapshot of the node's currently-held outbound credential (hot path,
/// called per outbound federation POST).
#[must_use]
pub fn current() -> Option<Arc<SignedCredential>> {
    global().current()
}

/// Snapshot of the node's held anchor-first intermediates (hot path, called
/// per outbound POST alongside [`current`] to emit the chain header).
#[must_use]
pub fn current_intermediates() -> Arc<Vec<SignedCredential>> {
    global().current_intermediates()
}

/// Replace the process-wide held credential with `cred` (renewal worker).
pub fn store(cred: Option<SignedCredential>) {
    global().store(cred);
}

/// Replace the process-wide held intermediates (intermediate-CA refresh).
pub fn store_intermediates(intermediates: Vec<SignedCredential>) {
    global().store_intermediates(intermediates);
}

/// Reload the process-wide held credential from `AI_MEMORY_FED_CRED_PATH`
/// — the file-refresh renewal path (an external issuer rewrites the file;
/// the worker re-reads it on a timer).
///
/// # Errors
/// Propagates a read/parse fault from [`SignedCredential::load_from_env`]
/// so the caller can log it; the previously-held credential is left
/// untouched on error (no swap to `None`).
pub fn reload_from_env() -> std::io::Result<()> {
    let next = SignedCredential::load_from_env()?;
    global().store(next);
    Ok(())
}

/// Reload the process-wide held intermediates from
/// `AI_MEMORY_FED_CRED_CHAIN_PATH` — the slower-rotating intermediate-CA
/// refresh path. An unset env var or missing file resets to no intermediates
/// (direct leaf).
///
/// # Errors
/// Propagates a read/parse fault from
/// [`super::chain::load_intermediates_from_env`]; the previously-held
/// intermediates are left untouched on error (no reset).
pub fn reload_intermediates_from_env() -> std::io::Result<()> {
    let next = super::chain::load_intermediates_from_env()?;
    global().store_intermediates(next);
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::federation::identity::issuer::{FederationIssuer, IssuerConfig};
    use ed25519_dalek::SigningKey;

    const NOW_UNIX: i64 = 1_900_000_000;

    fn signing_key(seed: u8) -> SigningKey {
        SigningKey::from_bytes(&[seed; 32])
    }

    fn issuer(seed: u8) -> FederationIssuer {
        FederationIssuer::new(
            signing_key(seed),
            IssuerConfig::new("trust-domain-root", "fleet.example"),
        )
    }

    fn cred_for(subject: &str, subject_seed: u8, issuer_seed: u8) -> SignedCredential {
        let subject_key = signing_key(subject_seed);
        issuer(issuer_seed)
            .issue(subject, &subject_key.verifying_key(), NOW_UNIX)
            .expect("mint")
    }

    #[test]
    fn empty_holder_yields_no_credential() {
        let holder = OutboundCredentialHolder::new(None);
        assert!(holder.current().is_none());
    }

    #[test]
    fn seeded_holder_yields_that_credential() {
        let cred = cred_for("region/nyc/node-1", 7, 1);
        let holder = OutboundCredentialHolder::new(Some(cred.clone()));
        let got = holder.current().expect("present");
        assert_eq!(got.credential(), cred.credential());
    }

    #[test]
    fn store_swaps_the_held_credential() {
        let holder = OutboundCredentialHolder::new(Some(cred_for("node-old", 7, 1)));
        let fresh = cred_for("node-new", 9, 1);
        holder.store(Some(fresh.clone()));
        let got = holder.current().expect("present");
        assert_eq!(got.credential().subject_agent_id, "node-new");
        assert_eq!(got.credential(), fresh.credential());
    }

    #[test]
    fn store_none_clears_the_credential() {
        let holder = OutboundCredentialHolder::new(Some(cred_for("node-x", 7, 1)));
        assert!(holder.current().is_some());
        holder.store(None);
        assert!(holder.current().is_none());
    }

    fn intermediate_cert(subject: &str, subject_seed: u8, issuer_seed: u8) -> SignedCredential {
        let subject_key = signing_key(subject_seed);
        issuer(issuer_seed)
            .issue_intermediate(subject, &subject_key.verifying_key(), NOW_UNIX)
            .expect("mint intermediate")
    }

    #[test]
    fn new_holder_has_no_intermediates() {
        let holder = OutboundCredentialHolder::new(Some(cred_for("node-1", 7, 1)));
        assert!(holder.current_intermediates().is_empty());
    }

    #[test]
    fn with_chain_seeds_both_leaf_and_intermediates() {
        let leaf = cred_for("region/nyc/node-1", 7, 2);
        let inter = intermediate_cert("region/nyc/ca", 2, 1);
        let holder = OutboundCredentialHolder::with_chain(Some(leaf), vec![inter.clone()]);
        let got = holder.current_intermediates();
        assert_eq!(got.len(), 1);
        assert_eq!(got[0].credential(), inter.credential());
    }

    #[test]
    fn store_intermediates_swaps_without_touching_leaf() {
        let leaf = cred_for("region/nyc/node-1", 7, 2);
        let holder = OutboundCredentialHolder::with_chain(Some(leaf.clone()), Vec::new());
        let inter = intermediate_cert("region/nyc/ca", 2, 1);
        holder.store_intermediates(vec![inter.clone()]);
        assert_eq!(holder.current_intermediates().len(), 1);
        // The leaf slot is untouched by the intermediates swap.
        assert_eq!(
            holder.current().expect("leaf present").credential(),
            leaf.credential()
        );
    }

    #[test]
    fn store_leaf_does_not_clobber_intermediates() {
        let inter = intermediate_cert("region/nyc/ca", 2, 1);
        let holder = OutboundCredentialHolder::with_chain(
            Some(cred_for("node-old", 7, 2)),
            vec![inter.clone()],
        );
        holder.store(Some(cred_for("node-new", 9, 2)));
        assert_eq!(
            holder
                .current()
                .expect("present")
                .credential()
                .subject_agent_id,
            "node-new"
        );
        // Renewing the short-lived leaf leaves the long-lived chain intact.
        assert_eq!(holder.current_intermediates().len(), 1);
        assert_eq!(
            holder.current_intermediates()[0].credential(),
            inter.credential()
        );
    }

    #[test]
    fn snapshot_taken_before_store_is_unaffected_by_swap() {
        let holder = OutboundCredentialHolder::new(Some(cred_for("node-a", 7, 1)));
        let snapshot = holder.current().expect("present");
        holder.store(Some(cred_for("node-b", 9, 1)));
        // The Arc taken before the swap still observes the old subject.
        assert_eq!(snapshot.credential().subject_agent_id, "node-a");
        assert_eq!(
            holder
                .current()
                .expect("present")
                .credential()
                .subject_agent_id,
            "node-b"
        );
    }
}