Summary
Walrus Memory's headline promise is verifiable, non-custodial memory — "verifiable integrity without centralized trust", "fully controlled by you" (SKILL.md / README). I went looking to confirm that property holds, and it genuinely does — I reconstructed a memory's full provenance from on-chain data + public Walrus with zero relayer trust. But there is no documented procedure and no SDK helper to actually do it. For a product whose core differentiator is trustless verifiability, that's a gap worth closing — and I'd be glad to contribute the fix.
What I verified (staging/testnet)
For a memory written via the SDK — blob_id = GybhBuKN6GY3C5Ct1oOR3bpDK4VqJd58bbhsk6V-orw, account 0x9c6caf5d…ad935:
- Relayer-independent fetch. The blob downloads straight from the public Walrus aggregator —
GET https://aggregator.walrus-testnet.walrus.space/v1/blobs/GybhBuKN…-orw → 200, 435 bytes — with no relayer in the path.
- Encrypted at rest. The raw bytes contain no plaintext marker or secret (SEAL). ✅
- On-chain provenance. The memory exists as a Walrus
…::blob::Blob object whose on-chain Metadata (VecMap<String,String>) carries:
memwal_namespace, memwal_owner, memwal_package_id, and memwal_agent_id.
memwal_agent_id exactly equals the public_key of a DelegateKey registered on the MemWalAccount — cryptographically binding the blob to a key the account authorized.
So the whole chain — account → authorized delegate key → blob written by that key → namespace/owner → content-addressed encrypted bytes on Walrus — is independently checkable. The relayer is an index/availability convenience exactly as the docs imply; the gap is that nothing helps a user demonstrate it.
Proposal
memwal.verify(blobId) (or verifyMemory) that:
- resolves the on-chain
Blob + Metadata,
- checks
memwal_agent_id against the account's registered delegate keys,
- confirms the blob is retrievable + content-addressed on Walrus,
- returns a structured report, e.g.
{ ownerOk, agentKeyOk, namespace, onChain, walrusReachable }.
- A short "Independently verify a memory" guide documenting the
memwal_* Metadata schema and the chain → Walrus procedure, so the verifiability claim is demonstrable rather than asserted.
I'm happy to open a PR for (1) and/or (2) — glad to align on the API shape first.
Related finding: metadata privacy
While content is encrypted, memwal_namespace, memwal_owner, and memwal_agent_id are stored as public plaintext on-chain. Namespace names and per-agent write patterns are therefore world-readable. Apps that name namespaces after end-users/tenants (e.g. patient-12345, org-acme) would leak that. Worth a docs warning, and/or an option to store an opaque (hashed) namespace in the on-chain metadata for privacy-sensitive integrations.
Summary
Walrus Memory's headline promise is verifiable, non-custodial memory — "verifiable integrity without centralized trust", "fully controlled by you" (SKILL.md / README). I went looking to confirm that property holds, and it genuinely does — I reconstructed a memory's full provenance from on-chain data + public Walrus with zero relayer trust. But there is no documented procedure and no SDK helper to actually do it. For a product whose core differentiator is trustless verifiability, that's a gap worth closing — and I'd be glad to contribute the fix.
What I verified (staging/testnet)
For a memory written via the SDK —
blob_id = GybhBuKN6GY3C5Ct1oOR3bpDK4VqJd58bbhsk6V-orw, account0x9c6caf5d…ad935:GET https://aggregator.walrus-testnet.walrus.space/v1/blobs/GybhBuKN…-orw→200, 435 bytes — with no relayer in the path.…::blob::Blobobject whose on-chainMetadata(VecMap<String,String>) carries:memwal_namespace,memwal_owner,memwal_package_id, andmemwal_agent_id.memwal_agent_idexactly equals thepublic_keyof aDelegateKeyregistered on theMemWalAccount— cryptographically binding the blob to a key the account authorized.So the whole chain — account → authorized delegate key → blob written by that key → namespace/owner → content-addressed encrypted bytes on Walrus — is independently checkable. The relayer is an index/availability convenience exactly as the docs imply; the gap is that nothing helps a user demonstrate it.
Proposal
memwal.verify(blobId)(orverifyMemory) that:Blob+Metadata,memwal_agent_idagainst the account's registered delegate keys,{ ownerOk, agentKeyOk, namespace, onChain, walrusReachable }.memwal_*Metadataschema and the chain → Walrus procedure, so the verifiability claim is demonstrable rather than asserted.I'm happy to open a PR for (1) and/or (2) — glad to align on the API shape first.
Related finding: metadata privacy
While content is encrypted,
memwal_namespace,memwal_owner, andmemwal_agent_idare stored as public plaintext on-chain. Namespace names and per-agent write patterns are therefore world-readable. Apps that name namespaces after end-users/tenants (e.g.patient-12345,org-acme) would leak that. Worth a docs warning, and/or an option to store an opaque (hashed) namespace in the on-chain metadata for privacy-sensitive integrations.