You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Namespace ownership, visibility, and access are 100% off-chain in D1 today — CloudflareNamespaceStore in apps/api/src/worker.ts stores owner_id + visibility + ctxm_* read tokens, and docs/namespace-model.md confirms "private" is just a Bearer-token check, not anything on-chain. This module makes namespace ownership a real Sui object so it can be the authority record for provenance (roadmap §2) and the link target between a namespace and its Walrus blob / Harbor Bucket / SEAL policy.
Goal / user story
As a namespace owner, my namespace exists as an on-chain Namespace object that records who owns it, whether it's public/private, its SEAL policy (when private), and a pointer to its latest attribution receipt — so ownership and provenance are verifiable on Sui, not just trusted from a D1 row.
public fun register_namespace(...) creates a sharedNamespace (so the sponsored service signer and later readers can both touch it) and emits a NamespaceRegistered event.
Owner-gated mutators (assert ns.owner == ctx.sender() or an explicit cap): set_visibility, set_seal_policy, set_display, set_walrus_blob, transfer_ownership.
public fun set_head_receipt(ns: &mut Namespace, receipt_id: ID, ctx) — owner/authority gated — lets the receipt-mint flow advance the head pointer (consumed by the receipt module / on-chain TS client).
Source-of-truth decision (roadmap open question §2): for the alpha, keep D1 authoritative and the on-chain Namespace as an attestation/mirror — far less plumbing than making chain authoritative. Document this; the TS client backfills/syncs D1 → chain.
Visibility ↔ SEAL:visibility=1 (private) should carry a seal_policy_id populated from Harbor's on-chain Seal policy object (private namespace ⇔ owned Seal policy, per roadmap §1). Confirm Harbor exposes the policy id to store here. walrus_blob_id mirrors the WalrusStorageReceipt.blobId.
Authority model: with the scaffold's signer decision (service key signs, Enoki sponsors gas), ns.owner will initially be the service key address. If/when user wallets land, transfer_ownership hands it to the user. Avoid baking user-wallet assumptions in now.
Cross-module head pointer:set_head_receipt is the seam the receipt mint calls; keep the auth check here so receipt stays a pure attestation minter. A dedicated WriterCap (roadmap §2 P2 cap module) can replace the sender-equality check later — out of scope.
Shared vs owned: prefer shared Namespace so a sponsored backend tx can mutate head_receipt without the object being in the user's address; document the consensus-cost tradeoff.
Sui Overflow angle
Turns "namespace ownership" from an invisible database column into a first-class Sui object that links Walrus storage + SEAL access control + attribution receipts into one verifiable graph — the on-chain backbone judges can inspect, and the natural home for the private-namespace SEAL story.
Dependencies
Requires the Move scaffold issue.
Pairs with the receipt module (its head_receipt/parents reference these objects).
SEAL policy id linkage depends on Harbor integration landing — the field can ship now and be populated later.
Part of the ContextMEM roadmap (#4) • Sui Overflow build.
Context
Namespace ownership, visibility, and access are 100% off-chain in D1 today —
CloudflareNamespaceStoreinapps/api/src/worker.tsstoresowner_id+visibility+ctxm_*read tokens, anddocs/namespace-model.mdconfirms "private" is just a Bearer-token check, not anything on-chain. This module makes namespace ownership a real Sui object so it can be the authority record for provenance (roadmap §2) and the link target between a namespace and its Walrus blob / Harbor Bucket / SEAL policy.Goal / user story
As a namespace owner, my namespace exists as an on-chain
Namespaceobject that records who owns it, whether it's public/private, its SEAL policy (when private), and a pointer to its latest attribution receipt — so ownership and provenance are verifiable on Sui, not just trusted from a D1 row.Acceptance criteria
module contextmem::registrydefines aNamespacestruct with:name: String(thedemo:/web:/walrus:namespace string fromdocs/namespace-model.md),owner: address,visibility: u8(0=public,1=private),seal_policy_id: Option<ID>,display_name: String,description: String,walrus_blob_id: Option<String>,created_at_ms: u64,head_receipt: Option<ID>.public fun register_namespace(...)creates a sharedNamespace(so the sponsored service signer and later readers can both touch it) and emits aNamespaceRegisteredevent.ns.owner == ctx.sender()or an explicit cap):set_visibility,set_seal_policy,set_display,set_walrus_blob,transfer_ownership.public fun set_head_receipt(ns: &mut Namespace, receipt_id: ID, ctx)— owner/authority gated — lets the receipt-mint flow advance the head pointer (consumed by thereceiptmodule / on-chain TS client).#[test]coverage: register, owner-only mutation succeeds, non-owner mutation aborts, visibility/seal-policy round-trip.Implementation notes
Namespaceas an attestation/mirror — far less plumbing than making chain authoritative. Document this; the TS client backfills/syncs D1 → chain.visibility=1(private) should carry aseal_policy_idpopulated from Harbor's on-chain Seal policy object (private namespace ⇔ owned Seal policy, per roadmap §1). Confirm Harbor exposes the policy id to store here.walrus_blob_idmirrors theWalrusStorageReceipt.blobId.ns.ownerwill initially be the service key address. If/when user wallets land,transfer_ownershiphands it to the user. Avoid baking user-wallet assumptions in now.set_head_receiptis the seam thereceiptmint calls; keep the auth check here soreceiptstays a pure attestation minter. A dedicatedWriterCap(roadmap §2 P2capmodule) can replace thesender-equality check later — out of scope.Namespaceso a sponsored backend tx can mutatehead_receiptwithout the object being in the user's address; document the consensus-cost tradeoff.Sui Overflow angle
Turns "namespace ownership" from an invisible database column into a first-class Sui object that links Walrus storage + SEAL access control + attribution receipts into one verifiable graph — the on-chain backbone judges can inspect, and the natural home for the private-namespace SEAL story.
Dependencies
receiptmodule (itshead_receipt/parentsreference these objects).Part of the ContextMEM roadmap (#4) • Sui Overflow build.