Every AI coding agent keeps its own memory — one per tool, per developer, per session. memnos is the shared, governed layer across all of them: what one agent learns, every agent knows — attributed to who learned it, audited, on your own PostgreSQL.
How we're different: memnos captures deterministically through Claude Code hooks and the capture proxy — not the model’s discretion (and if the server is down, turns are queued and replayed automatically) — runs no LLM at query time, and is fully governed and audited. And we publish honest, judge-transparent benchmarks: the full judge band, per-question predictions in the repo.
Chose one PostgreSQL + pgvector over a separate graph + vector DB — simpler ops, ACID, bi-temporal facts.
Redis OOM on prod-02. Resolved by setting maxmemory-policy=allkeys-lru.
CONSTRAINT: All database queries must go through the ORM layer. Direct SQL is prohibited.
Alex moved to Seattle — the earlier "lives in Austin" fact is closed with valid_to, not deleted.
CONSTRAINT: All PHI data MUST be encrypted at rest using AES-256. Direct database access from service layers is PROHIBITED.
64–65% on full LoCoMo (three independent ingests) · 78.4% on LongMemEval (500q, gpt-4o judge, predictions published) · No LLM at query time · Apache-2.0 · Runs on PostgreSQL.
Two real Claude Code agents — separate processes, separate tokens, same team namespace. Dev Alice’s agent makes a decision. Dev Bob’s agent, in a fresh session that never saw hers, recalls it — attributed to dev-alice — and adds a constraint her next turn picks up. No one re-explained anything. memnos is the shared memory underneath.
Recorded live · attribution is server-stamped from each agent’s token, not client-claimed · runs on your own Postgres.
memnos captures both sides — what you asked and what your AI concluded — deterministically, through hooks and the capture proxy, not the model’s discretion. Decisions land in memory the moment they’re made.
Author attribution on every write — know which agent or person wrote each memory, and when. Today, every operation is already audit-logged by principal.
Pinned constraints that ride along with every recall, so your rules never fall out of context. Today: constraints are searchable facts, and /corpus/check tests any diff against them — deterministic, no LLM.
Shipped today: token auth, namespace ACLs, a full audit log, and an AES-256-GCM secret vault with write-time credential redaction. Every claim checkable in the open source.
Your team has 20 engineers and 20 AI assistants. Without shared memory, you have 40 silos — each starting from zero.
Context window closes; architecture decisions, resolved incidents, learned patterns — gone. Every session restarts from zero.
Agent A doesn't know what Agent B discovered 10 minutes ago. Work is repeated, mistakes are repeated, and coordination is manual.
A senior architect's 10am decision doesn't reach the developer asking the same question at 2pm. The same trade-offs get re-litigated daily.
No audit trail. No way to know which agent made which call, which decision was automated, or why. Compliance is impossible to prove.
Agents generate code that violates your documented architecture. No one enforces the rules at code-generation time without re-prompting every session.
Onboarding takes weeks because institutional knowledge lives in people's heads and scattered notes. New hires and their AI assistants start completely cold.
Fair question — there are good ones. But look at what each actually ships, as of June 2026:
A polished temporal knowledge graph — as a hosted cloud product. Its open engine (Graphiti) requires a separate graph database, and conflict resolution is LLM-driven.
Genuinely open source, with the biggest community. But an LLM decides what to add, update or delete at write time, and governance — ACL, audit, vault — isn’t part of the package.
An agent runtime — capture is complete inside it, but it can’t add memory to the tools you already use: Claude Code, Claude Desktop, Cursor stay outside.
Great DX and connectors — but the engine’s source is unpublished, local mode is a closed binary with a single API key, and governance starts at paid tiers.
Nobody in that list ships all three of: a fully open engine (read every line that touches your data), governance by default in the free tier (token auth, namespace ACL, audit log, cost ledger, encrypted vault, ingest redaction), and running on your own PostgreSQL — the database your org already operates, backs up, and has compliance sign-off on. memnos is that combination: memory you can audit, govern, and run on your own Postgres. See the full comparison →
memnos earns its place when more than one agent — or more than one developer — needs to share what’s been learned. Three audiences feel that most:
Your team runs Claude Code, Codex and Cursor. memnos is the one shared, governed memory underneath them: decisions, constraints and incidents every developer’s agent reads and writes — attributed to who learned them. New hires get full context on day one; the team stops re-litigating settled questions.
Building on LangChain, LangGraph or your own stack? memnos is a real memory backend via the memnos-sdk, MCP and REST — hybrid recall, bi-temporal facts, no LLM at query time. Vendor-neutral, runs anywhere.
Healthcare, finance, government. Self-host on the PostgreSQL you already operate, with token auth, namespace ACLs, a full audit log, server-stamped authorship and an encrypted secret vault. Your data never leaves your infrastructure.
Facts, decisions, preferences, incidents and constraints survive session boundaries and are shared across your whole team — so nothing important is ever lost or re-explained. Runs on infrastructure you already operate; no exotic database to babysit.
Every memory carries valid_from / valid_until timestamps. Query the memory store as_of any past date — "what did we know about the auth service on March 15th?" Zep/Graphiti are bi-temporal too; memnos is the one that does it on a single plain PostgreSQL.
Not a static document store. The graph evolves in real-time as agents work — new edges, superseded decisions, cross-linked incidents — always reflecting your team's current understanding.
Ingest your architecture docs — memnos parses RFC-2119 rules (SHALL / SHOULD / MAY) into constraint facts. They surface in recall like any memory, and corpus_check returns the rules relevant to any code snippet or diff — deterministic, no LLM.
Every operation is token-authenticated, namespace-scoped and audit-logged — principal, operation, latency, result count. Every consolidated fact keeps provenance links to the raw episodes behind it. (Per-author memory attribution ships in v0.1.6.)
Pub/sub across agents — webhook push and cursor-based polling, delivered at-least-once. When one agent writes a discovery, subscribed agents hear about it on the next delivery pass.
Claude Code, Codex, Cursor, GPT-5, Llama, Gemini, Mistral — any model that can make an HTTP call works with memnos. Swap your underlying LLM without touching your memory layer.
Fine-grained access control via API keys and namespaces. Give the backend team read/write to org:acme:backend, the frontend team to org:acme:frontend. Each agent gets exactly the permissions it needs.
AES-256-GCM encrypted vault for secrets and keys, stored alongside memories, with master-key rotation built in. Ingest redaction strips credential patterns before they ever land in memory.
Write an architecture rule once — or ingest a whole doc. Stored rules are searchable by every agent, and /corpus/check returns the rules relevant to any snippet or diff — in CI, code review, or your editor.
Point ANTHROPIC_BASE_URL / OPENAI_BASE_URL at memnos proxy and every conversation is captured deterministically — not left to the model's discretion like MCP-only memory.
Copy or move whole namespaces with one command, and back up everything with standard PostgreSQL tooling (pg_dump). It’s your database — your memory travels with your infrastructure.
The three pieces teams usually bolt together from separate products — shipped as one engine, on one governed PostgreSQL.
Document ingestion (/ingest/file), hybrid retrieval — vector + BM25 fused with RRF — and a cross-encoder reranker on by default. No separate vector database to run.
Entities, edges, bi-temporal facts and consolidated dossiers — plus grounded recall: admin-linked knowledge namespaces consulted with every search. Lightweight by design: it is not a replacement for a dedicated graph-analytics platform.
Episodes, deterministic supersession, namespaces with ACLs, audit, pub/sub coordination — persistent memory for every agent and AI tool you already use, via MCP, REST and the SDK.
All three live in one PostgreSQL + pgvector you already run — one backup, one auth model, one audit trail.
Here’s a truth most memory products won’t put on their homepage: the MCP protocol has no post-response event — a memory server never sees the conversation, so capture via MCP tools is at the model’s discretion. That’s true for every vendor, including us. So memnos ships three explicit capture tiers and tells you which one you’re getting:
| Capture tier | Works with | Who decides what’s saved | Guarantee |
|---|---|---|---|
| Claude Code hooks | Claude Code | memnos — both speakers, every turn | ✓ Deterministic |
| memnos proxy | Any client with a base-URL override (ANTHROPIC_BASE_URL / OPENAI_BASE_URL) |
memnos — full conversation relayed | ✓ Deterministic |
| MCP tools | Everything else — including Claude Desktop | The model | ~ Best-effort |
Claude Desktop allows no base-URL override and no hooks — it is tools-only for every memory vendor. If a memory product promises automatic capture there, ask how.
Product, engineering, QA, and DevOps all share one memory store. New hires get full institutional context on day one — not after weeks of onboarding.
Learn more →Ingest your architecture docs, ADRs, and compliance requirements. Agents enforce rules automatically during code review and development — zero re-prompting.
Learn more →When PagerDuty fires, surface similar past incidents and resolutions instantly. Stop re-investigating the same failures at 2am.
Learn more →Replace static wikis with a living memory store that every agent and engineer contributes to and queries in real time. Documentation that updates itself.
Learn more →The question isn't whether your AI agents will make consequential decisions. They already are. The question is whether you can audit them, govern them, and prove it to your organization.
{
"id": 48121,
"text": "Chose PostgreSQL + pgvector over Neo4j",
"kind": "proposition",
"valid_from": "2026-03-15T10:23:44Z",
"valid_to": null,
"provenance": { "episodes": [9143, 9150] },
"audit": { "principal": "arch-agent", "op": "/remember" },
"namespace": "org:acme:architecture"
}
memnos is the only memory tool built for multi-agent engineering teams — with memory policies, temporal queries, and architecture enforcement no other tool has.
| Capability | memnos | mem0 | Zep | Obsidian+Claude | ChatGPT Memory |
|---|---|---|---|---|---|
| Multi-agent shared memory | ✓ | ✗ | ~ | ✗ | ✗ |
| Temporal memory (as_of queries) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Architecture enforcement | ✓ | ✗ | ✗ | ✗ | ✗ |
| Complete audit trail | ✓ | ✗ | ✗ | ✗ | ✗ |
| Self-hostable, 100% local | ✓ | ✓ | ~ | ✓ | ✗ |
| Secret vault | ✓ | ✗ | ✗ | ✗ | ✗ |
A cross-platform memnos CLI (server + client in one), an MCP server for Claude Code / Cursor / Windsurf, and a plain REST API. PostgreSQL is the only prerequisite. (Plus a Python SDK on PyPI — memnos-sdk — with LangChain, LangGraph & LlamaIndex retriever adapters.)
# REST — works from any language (Bearer token, namespace-scoped)
curl -X POST http://127.0.0.1:8900/remember \
-H "Authorization: Bearer $MEMNOS_TOKEN" -H "Content-Type: application/json" \
-d '{"namespace":"org:acme:security","text":"JWT tokens must expire after 15 minutes in production"}'
curl -X POST http://127.0.0.1:8900/recall \
-H "Authorization: Bearer $MEMNOS_TOKEN" -H "Content-Type: application/json" \
-d '{"namespace":"org:acme:security","query":"token expiry policy"}'
# …or the CLI client
memnos remember "JWT tokens expire after 15 min in prod" --namespace org:acme:security
memnos recall "token expiry policy" --namespace org:acme:security
Five lines is all it takes to give your agent permanent, governed, shared memory.
Drop the MCP server into Claude Code, Cursor, or any MCP-compatible host. Or use the REST SDK from any language. Self-host with one uv tool install — your Postgres, your data.
Agents recall and write as they work. Hybrid search (vector + BM25 + RRF) with a cross-encoder reranker returns the most relevant facts and episodes — including any stored constraint facts that match.
Call /corpus/check with every PR diff. It returns the stored SHALL / SHOULD / MAY rules relevant to the change — annotate the PR, or fail the build on your own policy.
Every call is token-authenticated and audit-logged; every consolidated fact keeps provenance links to its source episodes. Per-author attribution on each memory lands in v0.1.6.
from memnos_sdk import MemnosClient
with MemnosClient(
base_url="https://memnos.acme.com",
token="...",
) as client:
# Hybrid recall — facts + episodes, reranked
out = client.recall(
"how do we handle patient data encryption",
namespace="org:acme:engineering",
)
# One prompt-ready context string
ctx = client.context("auth service decisions")
# Write — authed, namespaced, audit-logged
client.remember(
"Selected PostgreSQL + pgvector — single engine",
namespace="org:acme:architecture",
)
The classic blackboard pattern, with a policy layer: agents share a namespace, every write is signed with the authenticated principal — set by the server, never client-supplied — and webhook subscriptions push new memories to the agents that care (at-least-once). When another agent recalls, it sees exactly who said what.
# Give the agent its own identity, key and scope
memnos principal create billing-bot --kind service
memnos token mint billing-bot # → mnk_…
memnos grant add billing-bot proj:storefront
# billing-bot writes a discovery to the shared namespace…
memnos remember "Refund r-1041 approved — customer churned over shipping delays" \
--namespace proj:storefront
# …the support agent subscribes (webhook push, at-least-once)
curl -s -H "Authorization: Bearer $MEMNOS_TOKEN" http://127.0.0.1:8900/subscribe \
-d '{"namespace":"proj:storefront","webhook":"https://support-bot.internal/hook"}'
# …and every other agent's recall shows who said it — server-signed:
- (fact, 2026-06-11, by billing-bot) Refund r-1041 approved — customer churned …
Delivery is webhook push plus cursor-based polling, at-least-once on each pusher pass — not a millisecond bus. Full details in the API reference.
Every architecture decision in this codebase is a memory. Every incident we hit is stored. The agents that write our docs query memnos before writing a word.
We didn't just use our product — our product made itself. If memnos went down, our agents would start repeating the same mistakes within a week.
// actual memories from building memnos
Chose PostgreSQL + pgvector over Neo4j + Qdrant. One engine eliminates two services and gives vector + full-text search without a second database.
E2E stack stuck at "Created" — Postgres container never became healthy. Root cause: ~ in .env file not expanded by docker-compose. Fixed by injecting MEMNOS_DATA_DIR as shell env var.
CONSTRAINT: Source directories are READ-ONLY. All memory and learnings go to vaults only. Never write markdown in source repos.
Self-host in minutes — one installer script or Docker, on a PostgreSQL you already run. Apache-2.0 licensed. No lock-in.