Expand description
v0.4.0 (P0-2) — Cloudflare Mesh runtime adapter.
Cloudflare Mesh (announced 2026-04-24) defines the lifecycle-attestation envelope agent infrastructure is moving to: every workload presents a SPIFFE-style identity + an attestation token, and every privileged op carries an audit envelope back to a chained ledger. This crate makes Mnemo speak that protocol so Mesh-deployed agents can use Mnemo as their memory plane without losing the lifecycle-attestation chain.
Three pieces:
identity::MeshIdentity— the (workload_spiffe_id, attestation_token) pair the caller presents on every op.policy::MeshPolicyEnforcer— pluggable ACL that decides whether the caller can perform aMemOpagainst aNamespace.MeshAuditEnvelope— chained-HMAC envelope that links each decision back to the existing memory-provenance chain head, so audit-log export emits one continuous ledger instead of two parallel ones.
Re-exports§
pub use identity::MeshIdentity;pub use policy::MeshPolicyEnforcer;pub use policy::PolicyDecision;pub use policy::StaticPolicyEnforcer;
Modules§
- identity
- SPIFFE-style identity types (v0.4.0 P0-2).
- policy
- Per-namespace ACL enforcement (v0.4.0 P0-2).
Structs§
- Mesh
Audit Envelope - Audit envelope appended to the chained ledger after every authorized
op. The
prev_chain_headmatches the existingmnemo-core::provenanceHMAC chain, so an export joins memory receipts and Mesh decisions on a single timeline. - Namespace
- Tenant + scope qualifier the policy decides against. Matches
Cloudflare Mesh namespace shape:
<tenant>/<scope>.
Enums§
- MemOp
- The privileged operations Mesh ACLs gate. Matches the verbs an LLM-host agent could try to invoke against Mnemo. New verbs land here when new privileged tools appear in the MCP catalog.