Context
Namespaces are app-layer strings (namespaceForTarget, packages/core/src/utils.ts) tracked in the contextmem_namespaces D1 table (migrations 0002_hosted_namespaces.sql / 0003_namespace_platform.sql). To store private blobs in Harbor we must map each namespace to a Harbor Space/Bucket + Seal policy and persist those ids for recall, and the Worker needs the Harbor API key + SUI service key as secrets (mirroring resolveMemwalCreds, worker.ts:3341).
Goal / user story
As ContextMEM, I want a deterministic namespace → Space/Bucket/Seal-policy mapping persisted in D1, plus the Harbor/Sui credentials wired into Worker secrets — so any private remember/recall can resolve its on-chain storage targets.
Acceptance criteria
Implementation notes
- Set secrets via
wrangler secret put HARBOR_API_KEY --config apps/api/cloudflare/wrangler.jsonc (and the staging --env staging variant); use decodeSuiPrivateKey for the service key.
- Bucket creation goes through
HarborClient.createBucket. Persisting the ids lets GET /api/memwal/artifact resolve refs without re-deriving.
- Keep the namespace→bucket mapping deterministic so the Node CLI/MCP path and the Worker agree on the same bucket for a given namespace.
Sui Overflow angle
Establishes the per-namespace on-chain object graph (Bucket + Seal-policy objects on Sui testnet) and the signing key that creates them — the reproducible backbone that makes the Sui-native private-memory demo work identically across prod and staging.
Dependencies
The HarborClient.createBucket issue. Feeds the StorageProvider + SEAL encrypted remember/recall issue.
Part of the ContextMEM roadmap (#4) • Sui Overflow build.
Context
Namespaces are app-layer strings (
namespaceForTarget,packages/core/src/utils.ts) tracked in thecontextmem_namespacesD1 table (migrations0002_hosted_namespaces.sql/0003_namespace_platform.sql). To store private blobs in Harbor we must map each namespace to a Harbor Space/Bucket + Seal policy and persist those ids for recall, and the Worker needs the Harbor API key + SUI service key as secrets (mirroringresolveMemwalCreds,worker.ts:3341).Goal / user story
As ContextMEM, I want a deterministic namespace → Space/Bucket/Seal-policy mapping persisted in D1, plus the Harbor/Sui credentials wired into Worker secrets — so any private remember/recall can resolve its on-chain storage targets.
Acceptance criteria
apps/api/migrations/0007_*.sqladdsspace_id,bucket_id,seal_policy_id,seal_identity_salt, andstorage_providercolumns tocontextmem_namespaces.CloudflareNamespaceStore(worker.ts:401) reads/writes the new columns; a helper resolves-or-creates the Bucket + policy for a private namespace lazily on first private write and persists the ids.WorkerEnv(worker.ts:32) gainsHARBOR_API_KEY,HARBOR_SERVICE_PRIVATE_KEY(suiprivkey1...), andHARBOR_SPACE_ID;.env.exampleandapps/api/cloudflare/wrangler.example.jsoncdocument them; aresolveHarborCreds(request, env)mirrorsresolveMemwalCreds' header-or-secret precedence.sanitizeMemwalKeypattern).Implementation notes
wrangler secret put HARBOR_API_KEY --config apps/api/cloudflare/wrangler.jsonc(and the staging--env stagingvariant); usedecodeSuiPrivateKeyfor the service key.HarborClient.createBucket. Persisting the ids letsGET /api/memwal/artifactresolve refs without re-deriving.Sui Overflow angle
Establishes the per-namespace on-chain object graph (Bucket + Seal-policy objects on Sui testnet) and the signing key that creates them — the reproducible backbone that makes the Sui-native private-memory demo work identically across prod and staging.
Dependencies
The
HarborClient.createBucketissue. Feeds the StorageProvider + SEAL encrypted remember/recall issue.Part of the ContextMEM roadmap (#4) • Sui Overflow build.