Skip to content

feat(sdk)/docs: first-class trustless verification of a memory (verify() + guide) #315

Description

@DrVelvetFog

Summary

Walrus Memory's headline promise is verifiable, non-custodial memory — "verifiable integrity without centralized trust", "fully controlled by you" (SKILL.md / README). I went looking to confirm that property holds, and it genuinely does — I reconstructed a memory's full provenance from on-chain data + public Walrus with zero relayer trust. But there is no documented procedure and no SDK helper to actually do it. For a product whose core differentiator is trustless verifiability, that's a gap worth closing — and I'd be glad to contribute the fix.

What I verified (staging/testnet)

For a memory written via the SDK — blob_id = GybhBuKN6GY3C5Ct1oOR3bpDK4VqJd58bbhsk6V-orw, account 0x9c6caf5d…ad935:

  1. Relayer-independent fetch. The blob downloads straight from the public Walrus aggregator —
    GET https://aggregator.walrus-testnet.walrus.space/v1/blobs/GybhBuKN…-orw200, 435 bytes — with no relayer in the path.
  2. Encrypted at rest. The raw bytes contain no plaintext marker or secret (SEAL). ✅
  3. On-chain provenance. The memory exists as a Walrus …::blob::Blob object whose on-chain Metadata (VecMap<String,String>) carries:
    • memwal_namespace, memwal_owner, memwal_package_id, and memwal_agent_id.
    • memwal_agent_id exactly equals the public_key of a DelegateKey registered on the MemWalAccount — cryptographically binding the blob to a key the account authorized.

So the whole chain — account → authorized delegate key → blob written by that key → namespace/owner → content-addressed encrypted bytes on Walrus — is independently checkable. The relayer is an index/availability convenience exactly as the docs imply; the gap is that nothing helps a user demonstrate it.

Proposal

  1. memwal.verify(blobId) (or verifyMemory) that:
    • resolves the on-chain Blob + Metadata,
    • checks memwal_agent_id against the account's registered delegate keys,
    • confirms the blob is retrievable + content-addressed on Walrus,
    • returns a structured report, e.g. { ownerOk, agentKeyOk, namespace, onChain, walrusReachable }.
  2. A short "Independently verify a memory" guide documenting the memwal_* Metadata schema and the chain → Walrus procedure, so the verifiability claim is demonstrable rather than asserted.

I'm happy to open a PR for (1) and/or (2) — glad to align on the API shape first.

Related finding: metadata privacy

While content is encrypted, memwal_namespace, memwal_owner, and memwal_agent_id are stored as public plaintext on-chain. Namespace names and per-agent write patterns are therefore world-readable. Apps that name namespaces after end-users/tenants (e.g. patient-12345, org-acme) would leak that. Worth a docs warning, and/or an option to store an opaque (hashed) namespace in the on-chain metadata for privacy-sensitive integrations.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions