mnemo-mesh 0.4.3

SPIFFE-style identity + per-namespace ACL for Mnemo agents (v0.4.0 P0-2). Speaks the lifecycle-attestation envelope Cloudflare Mesh expects.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

//! v0.4.0 (P0-2) — Cloudflare Mesh runtime adapter.
//!
//! Cloudflare Mesh (announced 2026-04-24) defines the
//! lifecycle-attestation envelope agent infrastructure is moving to:
//! every workload presents a SPIFFE-style identity + an attestation
//! token, and every privileged op carries an audit envelope back to
//! a chained ledger. This crate makes Mnemo speak that protocol so
//! Mesh-deployed agents can use Mnemo as their memory plane without
//! losing the lifecycle-attestation chain.
//!
//! Three pieces:
//!
//! 1. [`identity::MeshIdentity`] — the (workload_spiffe_id,
//!    attestation_token) pair the caller presents on every op.
//! 2. [`policy::MeshPolicyEnforcer`] — pluggable ACL that decides
//!    whether the caller can perform a [`MemOp`] against a
//!    [`Namespace`].
//! 3. [`MeshAuditEnvelope`] — chained-HMAC envelope that links each
//!    decision back to the existing memory-provenance chain head, so
//!    audit-log export emits one continuous ledger instead of two
//!    parallel ones.

pub mod identity;
pub mod policy;

use std::time::SystemTime;

use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256};

pub use identity::MeshIdentity;
pub use policy::{MeshPolicyEnforcer, PolicyDecision, StaticPolicyEnforcer};

/// Tenant + scope qualifier the policy decides against. Matches
/// Cloudflare Mesh namespace shape: `<tenant>/<scope>`.
#[derive(Debug, Clone, PartialEq, Eq, Hash, Ord, PartialOrd, Serialize, Deserialize)]
pub struct Namespace {
    pub tenant: String,
    pub scope: String,
}

impl Namespace {
    pub fn new(tenant: impl Into<String>, scope: impl Into<String>) -> Self {
        Self {
            tenant: tenant.into(),
            scope: scope.into(),
        }
    }

    pub fn as_label(&self) -> String {
        format!("{}/{}", self.tenant, self.scope)
    }
}

/// The privileged operations Mesh ACLs gate. Matches the verbs an
/// LLM-host agent could try to invoke against Mnemo. New verbs land
/// here when new privileged tools appear in the MCP catalog.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Ord, PartialOrd, Serialize, Deserialize)]
pub enum MemOp {
    Recall,
    Write,
    Forget,
    Branch,
    ReplayAsOf,
    ExportProvenance,
}

impl MemOp {
    pub fn as_str(&self) -> &'static str {
        match self {
            MemOp::Recall => "recall",
            MemOp::Write => "write",
            MemOp::Forget => "forget",
            MemOp::Branch => "branch",
            MemOp::ReplayAsOf => "replay_as_of",
            MemOp::ExportProvenance => "export_provenance",
        }
    }
}

/// Audit envelope appended to the chained ledger after every authorized
/// op. The `prev_chain_head` matches the existing
/// `mnemo-core::provenance` HMAC chain, so an export joins memory
/// receipts and Mesh decisions on a single timeline.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct MeshAuditEnvelope {
    pub caller_spiffe: String,
    pub op: MemOp,
    pub namespace: Namespace,
    pub decided: PolicyDecision,
    /// HMAC of the existing provenance chain right before this op.
    /// 32 raw bytes; serialise as hex/base64 at the wire boundary.
    pub prev_chain_head: [u8; 32],
    pub envelope_at: SystemTime,
}

impl MeshAuditEnvelope {
    /// Hash this envelope into the next chain head. Pure fn so the
    /// audit-log writer can compute heads without touching the
    /// caller's HMAC key.
    pub fn next_chain_head(&self, prev_head: &[u8; 32]) -> [u8; 32] {
        let mut h = Sha256::new();
        h.update(prev_head);
        h.update(self.caller_spiffe.as_bytes());
        h.update(b"|");
        h.update(self.op.as_str().as_bytes());
        h.update(b"|");
        h.update(self.namespace.as_label().as_bytes());
        h.update(b"|");
        h.update(self.decided.as_str().as_bytes());
        h.update(b"|");
        h.update(
            chrono::DateTime::<chrono::Utc>::from(self.envelope_at)
                .to_rfc3339()
                .as_bytes(),
        );
        h.finalize().into()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    fn env(decision: PolicyDecision) -> MeshAuditEnvelope {
        MeshAuditEnvelope {
            caller_spiffe: "spiffe://t1/a1".into(),
            op: MemOp::Recall,
            namespace: Namespace::new("t1", "shared"),
            decided: decision,
            prev_chain_head: [0u8; 32],
            envelope_at: SystemTime::UNIX_EPOCH,
        }
    }

    #[test]
    fn next_chain_head_is_deterministic() {
        let e = env(PolicyDecision::Allow);
        let h1 = e.next_chain_head(&[0u8; 32]);
        let h2 = e.next_chain_head(&[0u8; 32]);
        assert_eq!(h1, h2);
    }

    #[test]
    fn next_chain_head_changes_with_decision() {
        let allow = env(PolicyDecision::Allow);
        let deny = env(PolicyDecision::DenyMissingIdentity);
        assert_ne!(
            allow.next_chain_head(&[0u8; 32]),
            deny.next_chain_head(&[0u8; 32])
        );
    }

    #[test]
    fn next_chain_head_changes_with_namespace() {
        let mut e = env(PolicyDecision::Allow);
        let h1 = e.next_chain_head(&[1u8; 32]);
        e.namespace = Namespace::new("t1", "private");
        let h2 = e.next_chain_head(&[1u8; 32]);
        assert_ne!(h1, h2);
    }

    #[test]
    fn memop_strings_round_trip() {
        for op in [
            MemOp::Recall,
            MemOp::Write,
            MemOp::Forget,
            MemOp::Branch,
            MemOp::ReplayAsOf,
            MemOp::ExportProvenance,
        ] {
            let s = op.as_str();
            assert!(!s.is_empty());
            assert_eq!(s, s.to_lowercase());
        }
    }
}