v0.4.0 (P0-2) — Cloudflare Mesh runtime adapter.
Cloudflare Mesh (announced 2026-04-24) defines the lifecycle-attestation envelope agent infrastructure is moving to: every workload presents a SPIFFE-style identity + an attestation token, and every privileged op carries an audit envelope back to a chained ledger. This crate makes Mnemo speak that protocol so Mesh-deployed agents can use Mnemo as their memory plane without losing the lifecycle-attestation chain.
Three pieces:
- [
identity::MeshIdentity] — the (workload_spiffe_id, attestation_token) pair the caller presents on every op. - [
policy::MeshPolicyEnforcer] — pluggable ACL that decides whether the caller can perform a [MemOp] against a [Namespace]. - [
MeshAuditEnvelope] — chained-HMAC envelope that links each decision back to the existing memory-provenance chain head, so audit-log export emits one continuous ledger instead of two parallel ones.