Encrypted federation transport + sync-scoped token tier
Two additions for secure multi-node memory sharing:
🔐 App-layer sync encryption
Set a shared mesh key and sync bundles are wrapped in an authenticated AMOSENC1: envelope (Fernet — AES-128-CBC + HMAC-SHA256). The key is a separate secret from the bearer token and never crosses the wire, so memory content stays confidential even over plain HTTP or through a TLS-terminating proxy. Bundles encrypted under an unknown key are rejected, never merged.
agent-memory sync genkey # mint a mesh key (needs the [secure-sync] extra)
export AGENT_MEMORY_SYNC_KEY=amos_sk_… # set the SAME value on every nodeEncryption is opportunistic — it engages only when a key is configured, so meshes upgrade smoothly.
🎫 Sync-scoped token tier
agent-memory token create --sync mints a federation-only bearer token (amos_sync_…) that authorizes only GET /api/node, GET /api/sync/export, POST /api/sync/import. Hand this to a peer instead of the admin token — a peer credential can no longer read or mutate memory through the API.
Also
- Explicit certificate-verifying TLS context for
https://peer URLs agent-memory-mcpconsole entry point (zero-install:uvx --from "agent-memory-os[mcp]" agent-memory-mcp)doctorreports the newsecure-syncextra- Docs updated throughout: SECURITY.md, THREAT_MODEL, USER_GUIDE, README (en/zh), INSTALLATION, DOCKER, SPEC, ROADMAP
Tests: 332 passed (10 new in test_secure_sync.py). An independent adversarial security review of the auth-scope and crypto paths found no defects.
Install: pip install -U "agent-memory-os[full]"