The canonical-card transparency log ships on a thin Postgres backend in v1. The row shape is intentionally Sigstore Rekor-compatible so the future migration to Rekor is a data move, not a schema rewrite. This page is forward-looking — it documents the migration plan so consumers can build against the v1 surface confident that the wire shape won’t break when the move happens. The migration itself is deferred to post-V1-GA.Documentation Index
Fetch the complete documentation index at: https://docs.mnemom.ai/llms.txt
Use this file to discover all available pages before exploring further.
Why migrate
The thin Postgres log is sufficient for Mnemom’s V1 scale (≤ 10K canonical recomposes per day). Sigstore Rekor brings:- Decoupling — the log lives outside Mnemom’s infrastructure; a Mnemom compromise can’t silently rewrite it.
- Industry standard — Rekor is the Linux Foundation Sigstore project’s canonical transparency log. Consumers already trust it for software supply-chain attestations.
- Community tooling —
rekor-cli,cosign, and the Sigstore client libraries become first-class verification paths alongsidemnemom verify-card.
Column mapping
| Mnemom column | Rekor entry field | Notes |
|---|---|---|
log_index | LogIndex | Direct; both are monotone integers |
integrated_time | IntegratedTime (Unix epoch) | RFC 3339 → Unix conversion on insert |
signing_key_id | Body.spec.signature.publicKey.content | base64-encoded public key (extracted from JWKS by kid) |
signed_attestation | Body.spec.envelope | Wrapped in a DSSE envelope (see below) |
merkle_leaf_hash | Verification.InclusionProof.LeafHash | Direct |
tree_size_after | Verification.InclusionProof.TreeSize | Direct |
| (computed on demand) | Verification.InclusionProof.Hashes | Rebuilt from merkle_leaf_hash rows |
| (computed on demand) | Verification.InclusionProof.RootHash | Rebuilt at proof issuance |
Entry kind
Rekor entries use akind discriminator. The closest fit for an AAP attestation is DSSE (Dead Simple Signing Envelope, SLSA spec). The DSSE wrapper around the JWS looks like:
dsse entry kind accepts this shape directly.
Migration steps (post-V1-GA)
- Stand up the Rekor instance. Choose between the public Sigstore instance or self-hosted. The public instance has no SLA; self-hosted gives Mnemom + customers operational control.
- Replay historic rows. Walk
card_attestationsinlog_index ASCorder; wrap eachsigned_attestationin a DSSE envelope; POST to/api/v1/log/entries. Rekor assigns its ownLogIndex— store the mapping in a newrekor_indexcolumn oncard_attestations. - Dual-write window. For some number of weeks, every new compose-hook append writes both to Postgres + Rekor. Smoke-test that the two roots stay aligned.
- Cutover read paths.
GET /v1/transparency/log/{id}/...starts returning the Rekor inclusion proof alongside (or instead of) the Postgres-derived proof.mnemom verify-cardlearns the--rekorflag for explicit Rekor-only verification. - Retire the Postgres tree-build. Once Rekor reads are stable, drop the in-process Merkle reconstruction. The
card_attestationsPostgres table stays as a hot cache + a defense-in-depth ledger; Rekor becomes the authoritative source.
Consumer impact
| Consumer | Impact |
|---|---|
mnemom verify-card | Gains a --rekor flag; default mode honors whichever path the API points it at |
| A2A AgentCard export | The extensions[aap/attestation] extension body gains a rekor_index claim alongside token + jwks_uri |
| Custom verifiers (the schema docs) | Continue to verify the JWS as before. Optionally consume Rekor’s inclusion proof for cross-source defense |
Timeline
Deferred to post-V1-GA. Until that migration ships, the Postgres log + S3-with-object-lock backup is the authoritative public log. The v1 schema documented atmnemom-contracts/transparency-log/v1.yaml is stable.