Expand description
Per-read memory-provenance signing (v0.4.0-rc3 Task B1).
v0.3.x signs writes — every MemoryRecord carries a SHA-256
content_hash chained via prev_hash, and the audit log export
signs the chain with Ed25519. v0.4.0-rc3 adds the equivalent for
reads: every engine.recall(..., with_provenance=true) returns
a ReadProvenance HMAC that proves which writes the recall
derives from. A clinician auditing an LLM response can verify
offline that the cited memories really were the ones the model saw.
§Threat model
- Source-record tamper. An attacker mutates a
MemoryRecordin storage between the recall and the audit. Detected becauseverify_read_provenancerecomputes each record’scontent_hashand compares to theRecordRefin the provenance. - HMAC tamper. An attacker fabricates a provenance receipt
pointing at innocuous records. Detected because the HMAC binds
the receipt’s
read_id || query_hash || derived_fromto a server-side secret the attacker doesn’t have. - Key rotation. The receipt’s
hmac_key_idlets the verifier look up the historical key for a past read, so rotating the signing key doesn’t break old audits.
Out of scope: full non-repudiation (would need Ed25519 — HMAC is
cheaper but only verifiable by parties with the key). For
externally-auditable receipts, pair the provenance with the
existing mnemo-compliance Ed25519-signed audit log export.
Structs§
- Provenance
Signer - In-process HMAC-SHA256 signer for the recall hot path.
- Read
Provenance - Cryptographic receipt that an
engine.recallcall returned the listed memories. - Record
Ref - One source record cited by a
ReadProvenance.
Enums§
Traits§
- Provenance
Keystore - Pluggable keystore for verifiers — supports at-least one historical key.
Functions§
- verify_
read_ provenance - Verify a
ReadProvenancereceipt against the source records.