Skip to content

Namespace→Space/Bucket/Seal mapping + Harbor service-key management in Worker secrets #7

Description

@harrymove-ctrl

Context

Namespaces are app-layer strings (namespaceForTarget, packages/core/src/utils.ts) tracked in the contextmem_namespaces D1 table (migrations 0002_hosted_namespaces.sql / 0003_namespace_platform.sql). To store private blobs in Harbor we must map each namespace to a Harbor Space/Bucket + Seal policy and persist those ids for recall, and the Worker needs the Harbor API key + SUI service key as secrets (mirroring resolveMemwalCreds, worker.ts:3341).

Goal / user story

As ContextMEM, I want a deterministic namespace → Space/Bucket/Seal-policy mapping persisted in D1, plus the Harbor/Sui credentials wired into Worker secrets — so any private remember/recall can resolve its on-chain storage targets.

Acceptance criteria

  • New migration apps/api/migrations/0007_*.sql adds space_id, bucket_id, seal_policy_id, seal_identity_salt, and storage_provider columns to contextmem_namespaces.
  • CloudflareNamespaceStore (worker.ts:401) reads/writes the new columns; a helper resolves-or-creates the Bucket + policy for a private namespace lazily on first private write and persists the ids.
  • WorkerEnv (worker.ts:32) gains HARBOR_API_KEY, HARBOR_SERVICE_PRIVATE_KEY (suiprivkey1...), and HARBOR_SPACE_ID; .env.example and apps/api/cloudflare/wrangler.example.jsonc document them; a resolveHarborCreds(request, env) mirrors resolveMemwalCreds' header-or-secret precedence.
  • One Space per environment (prod/staging); deterministic Bucket name per namespace string (documented mapping, e.g. sha256 of the namespace).
  • DECISION recorded: shared service key (simple, decrypts everything) vs per-owner key (true isolation) — reflected in the credential helper.
  • Secrets are never logged; handling is consistent with existing key redaction (sanitizeMemwalKey pattern).

Implementation notes

  • Set secrets via wrangler secret put HARBOR_API_KEY --config apps/api/cloudflare/wrangler.jsonc (and the staging --env staging variant); use decodeSuiPrivateKey for the service key.
  • Bucket creation goes through HarborClient.createBucket. Persisting the ids lets GET /api/memwal/artifact resolve refs without re-deriving.
  • Keep the namespace→bucket mapping deterministic so the Node CLI/MCP path and the Worker agree on the same bucket for a given namespace.

Sui Overflow angle

Establishes the per-namespace on-chain object graph (Bucket + Seal-policy objects on Sui testnet) and the signing key that creates them — the reproducible backbone that makes the Sui-native private-memory demo work identically across prod and staging.

Dependencies

The HarborClient.createBucket issue. Feeds the StorageProvider + SEAL encrypted remember/recall issue.

Part of the ContextMEM roadmap (#4) • Sui Overflow build.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P0Demo-blocking: required for a working Sui Overflow demofeatureUser- or agent-facing capabilityharborHarbor encrypted Walrus storage on Sui (Space/Bucket/File)platformBackend platform plumbing: Worker, D1, queues, secrets, metering

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions