agent-memory-api: dedicated AGENT_MEMORY_ACCESS_KEY dual-key auth (+ Phase 10 lineage sync)

[Humestone]

What this PR contains

3 commits — 2 are lineage sync, 1 is the new change:

1. ee26138 / 2727021 — cherry-picks of the existing local-main Phase 10 hardening commits (097f60f, e34361b: recall/governance guards + scope harness). These were already reviewed and are the lineage the production function was deployed from, but they had never landed on Humestone/OB1 main — without them this PR would show 2,500+ lines of unexplained diff.
2. 30ad12b — the actual change: auth() prefers a dedicated AGENT_MEMORY_ACCESS_KEY when set, retaining the shared MCP_ACCESS_KEY fallback until Stone-side harnesses migrate (design decision D1 in MEMORY-READONLY-ACCESS-DESIGN.md — full decouple is a later gated increment). +14 lines in index.ts, +5 tests in dual-key-auth.test.ts.

Production state

This code is already live: agent-memory-api v6 on nstjppclxchsldkcmcve, deployed 2026-06-11 with James's approval (AIOS-3D bundle; Company Memory records b8b8b012 / 4b76b4fd). This PR is the git-hygiene step bringing tracked source in line with production.

Verification

• All 5 deployed files (auth.ts, index.ts, policy.ts, read-only.ts, deno.json) byte-identical (cmp) to the verified v6 deploy source.
• Full Deno suite in this branch: 51 passed, 0 failed, including the 5 new dual-key tests (dedicated key accepted; wrong key rejected; fallback still works; unset dedicated key ⇒ legacy behavior).
• Rollback bundle (v4 source + SHA256SUMS) preserved in how-open-brain-runs 04-operating-system/hermes-doctrine/generated/rollback-agent-memory-api-v4-20260611/.

For James

Merge restores tracked-source = production. No deploy is triggered by merging.

🤖 Generated with Claude Code

[github-actions]

OB1 PR Gate

✅ Folder structure — All files are in allowed directories
✅ Required files — README.md and metadata.json found in all contribution folders
✅ Metadata valid — All metadata.json files passed JSON Schema validation
✅ No credentials — No API keys, tokens, or secrets detected
✅ SQL safety — No destructive SQL or core table modifications
✅ Category artifacts — Required file types present for each category
❌ PR format — PR title must start with [recipes], [schemas], [dashboards], [integrations], [skills], [primitives], [extensions], or [docs] followed by a space and description
✅ No binary blobs — No oversized or binary files
❌ README completeness — Incomplete READMEs:

• integrations/agent-memory-api/README.md: missing sections: Step-by-step instructions

✅ Contribution dependencies — All declared skill and primitive dependencies exist and are linked in README
✅ LLM clarity review — Covered by Claude PR Review workflow
✅ Remote MCP pattern — No local MCP server patterns detected — uses remote MCP correctly
✅ Tool audit link — Extensions/integrations link to the MCP Tool Audit guide
✅ Scope check — All changes are within the contribution folder(s)
✅ Internal links — All relative links in READMEs resolve to existing files

Result: 13/15 checks passed. Please fix the issues above and push again.

---

Post-Merge Tasks

These don't block merge — they're reminders for admins after this PR lands.

• Add Nate Jones Team (@NatebJones) to CONTRIBUTORS.md
• Post in OB1 Discord #show-and-tell