Skip to content

v1.1.0 — Secure federation transport

Latest

Choose a tag to compare

@yamantaka520 yamantaka520 released this 14 Jul 15:21

Encrypted federation transport + sync-scoped token tier

Two additions for secure multi-node memory sharing:

🔐 App-layer sync encryption

Set a shared mesh key and sync bundles are wrapped in an authenticated AMOSENC1: envelope (Fernet — AES-128-CBC + HMAC-SHA256). The key is a separate secret from the bearer token and never crosses the wire, so memory content stays confidential even over plain HTTP or through a TLS-terminating proxy. Bundles encrypted under an unknown key are rejected, never merged.

agent-memory sync genkey                # mint a mesh key (needs the [secure-sync] extra)
export AGENT_MEMORY_SYNC_KEY=amos_sk_…   # set the SAME value on every node

Encryption is opportunistic — it engages only when a key is configured, so meshes upgrade smoothly.

🎫 Sync-scoped token tier

agent-memory token create --sync mints a federation-only bearer token (amos_sync_…) that authorizes only GET /api/node, GET /api/sync/export, POST /api/sync/import. Hand this to a peer instead of the admin token — a peer credential can no longer read or mutate memory through the API.

Also

  • Explicit certificate-verifying TLS context for https:// peer URLs
  • agent-memory-mcp console entry point (zero-install: uvx --from "agent-memory-os[mcp]" agent-memory-mcp)
  • doctor reports the new secure-sync extra
  • Docs updated throughout: SECURITY.md, THREAT_MODEL, USER_GUIDE, README (en/zh), INSTALLATION, DOCKER, SPEC, ROADMAP

Tests: 332 passed (10 new in test_secure_sync.py). An independent adversarial security review of the auth-scope and crypto paths found no defects.

Install: pip install -U "agent-memory-os[full]"