Policies

Memory policies that
don't slow you down

The question isn't whether your AI agents will make consequential decisions. They already are. memnos stamps every memory with its author (server-side, spoof-proof), keeps a full audit trail, scopes access by namespace, and enforces your constraints — so you always know which agent made which decision, without adding friction to the engineering workflow.

Server-stamped authorship
Complete audit trail
Namespace ACLs
Architecture enforcement
Encrypted secret vault
Audit Trail

Every agent action. Every decision. Permanently auditable.

Every operation in memnos is authenticated, namespace-scoped and audit-logged. Every memory is stamped with its author — the authenticated principal, set server-side from the token, never client-supplied — so it can't be spoofed, and it's surfaced in recall so you always know which agent (and which teammate) learned what. Every consolidated fact keeps provenance links to the raw episodes it came from.

audit_record.json
{
  "id": 48121,
  "text": "Selected PostgreSQL + pgvector over Neo4j
    for multi-model support",
  "kind": "proposition",
  "namespace": "org:acme:architecture",
  "author": "arch-agent",   // stamped server-side
  "valid_from": "2026-03-15T10:23:44Z",
  "valid_to": null,
  "provenance": { "episodes": [9143, 9150] },
  "audit": {
    "principal": "arch-agent",
    "op": "/remember",
    "ts": "2026-03-15T10:23:44Z",
    "status": 200
  }
}
// the author is the authenticated principal — a body-supplied
// author is ignored, so you can't spoof who learned something

What the audit trail enables

Compliance

Prove to auditors which AI agents made which decisions. The full provenance chain — agent, session, tool, commit — is queryable forever. Not just a log; a structured memory store.

Debugging bad decisions

When something goes wrong, trace the decision back to the exact agent session and git commit that produced it. Understand the context that existed when the decision was made.

Accountability

Know which team, which tool, which git commit produced each memory. In an AI-assisted world, accountability requires that every machine action be traceable to a human decision point.

AI safety monitoring

Detect when agents are behaving outside expected parameters. Query for agents writing unusual memory patterns, accessing namespaces unexpectedly, or making decisions outside their defined scope.

Access Control

Fine-grained access control across your agent fleet

Not all agents should see all memories. Namespace ACLs give you surgical control over what each agent can read and write — mapped directly to your team structure.

Namespace hierarchy

org:acme                         ← company root
  org:acme:engineering           ← all engineering
    org:acme:engineering:backend  ← backend team
    org:acme:engineering:mobile   ← mobile team
    org:acme:engineering:infra    ← infra team
  org:acme:security              ← security (restricted)
  org:acme:finance               ← finance (isolated)

Each API key is scoped to one or more namespaces with read or read/write permissions

Parent namespace keys can read child namespaces — but not vice versa

API keys are revocable instantly — decommission a compromised agent in seconds

Every access is logged — read and write operations on each namespace are auditable

Real-world permission model

Backend dev agents

token: mnk_backend_…

org:acme:engineering:backend rw org:acme:engineering ro

Architecture agents

token: mnk_arch_…

org:acme rw org:acme:security ro

Oncall / incident agents

token: mnk_oncall_…

org:acme:incidents rw org:acme:engineering ro

CI / audit agents

token: mnk_ci_…

org:acme ro (read-only: enforce, never write)
Secret Vault

Stop putting secrets in environment variables

AES-256-GCM encrypted vault integrated directly with your memory infrastructure. Secrets stored, accessed, rotated, and audited alongside the knowledge that uses them.

AES-256-GCM encryption at rest

Every secret is encrypted with AES-256 in GCM mode before writing to storage. Even if your memnos database is compromised, secrets cannot be read without the encryption key.

Automatic credential redaction

Credential patterns are automatically detected and redacted from memory writes. An agent cannot accidentally store a database password as a fact memory — the vault layer intercepts it.

Master-key rotation

Rotate the vault’s encryption key with one command (memnos secret rotate) — every stored secret is re-encrypted under the new key. Per-secret versioned rotation with grace periods is on the roadmap.

Audit-logged access

Vault operations go through the same authenticated, audit-logged control plane as every other memnos call — principal, operation and timestamp recorded in the audit log.

terminal — secret vault
# Generate the vault master key (stored in your config, mode 0600)
memnos secret keygen

# Store a secret — AES-256-GCM encrypted at rest
memnos secret set prod_db_password --desc "primary DB"

# List (names + metadata only — never values)
memnos secret ls

# Rotate the master key — re-encrypts every secret
memnos secret rotate

# Remove a secret
memnos secret rm prod_db_password

# Ingest redaction is automatic: API keys, JWTs, PEM blocks and
# passwords are stripped BEFORE text ever enters memory
Architecture Enforcement

Your documented rules, enforced automatically

Architecture governance shouldn't require a human reviewer to catch every violation. memnos's corpus checker runs your documented architecture against every code change — automatically, in CI, before it merges.

SHALL

Violations block the PR — zero exceptions

SHOULD

Violations annotate the PR with a warning comment

MAY

Informational — suggests best practices, doesn't block

See the full architecture enforcement guide →

Constraints are searchable, typed nodes in the graph:

constraint | SHALL arch/security.md

All PHI data SHALL be encrypted at rest using AES-256 or stronger. Unencrypted PHI storage is a HIPAA violation.

score: 0.94 · section: Data Protection

constraint | SHOULD arch/observability.md

Services SHOULD include correlation IDs in all log entries for distributed tracing support.

score: 0.87 · section: Logging Standards

constraint | MAY arch/api-design.md

APIs MAY return paginated results using cursor-based pagination rather than offset-based for large collections.

score: 0.72 · section: Response Patterns

Multi-Model Policies

Same policy layer, any LLM

Whether your team uses Claude Code, Codex, Cursor, GPT-5, Llama, or Gemini — all agents write to the same policy-governed memory layer with the same audit trail. Switch models without losing policy enforcement.

Model Integration Status
C
Claude Code / Claude
hooks · MCP · REST Supported
G
GPT-5 / GPT-4o · Codex (OpenAI)
proxy · REST SDK Supported
L
Llama 3, Mistral (Ollama)
REST SDK Supported
G
Gemini (Google)
REST SDK Supported
*
Any custom LLM
REST API (HTTP) Supported

The policy layer is model-agnostic by design. Your organization's audit requirements, access policies, and architecture rules apply equally to all agents — regardless of which LLM they run on.

Portability

Your memory travels with you. No lock-in.

memnos is Apache-2.0 licensed and fully self-hostable. Your team's memory store belongs to you — not a vendor. Export, migrate, and restore with complete fidelity.

Standard PostgreSQL backup & restore

All memories, edges, metadata and provenance are plain Postgres tables — pg_dump is a complete, portable backup.

Restore to any memnos installation

Cloud to on-prem, region migration, disaster recovery — restore the dump anywhere; whole namespaces can also be copied or moved with one command.

All edges, metadata, and provenance preserved

Graph structure is fully exported — not just content nodes but all relationships and connection metadata.

Apache-2.0 licensed — no vendor dependency

memnos is open source under Apache-2.0. Fork it, modify it, self-host it. Your team's memory is not dependent on our continued operation.

terminal
# Your memory is rows in YOUR PostgreSQL — back it up like one
pg_dump -Fc memnos > acme-backup-2026-06-10.dump

# Restore on any other installation
pg_restore -d memnos acme-backup-2026-06-10.dump

# Copy or move a whole namespace between scopes
memnos namespace copy org:acme:eng --to org:acme:platform
memnos namespace move proj:pilot --to org:acme:eng

# Or pull memories across namespaces you can read
# (copy_memories_from — MCP / REST)

Policies built in.
Not bolted on.

memnos's policy features are not add-ons — they're the foundation. Audit trails, ACLs, and architecture enforcement are built into every memory write, from day one.