The question isn't whether your AI agents will make consequential decisions. They already are. memnos stamps every memory with its author (server-side, spoof-proof), keeps a full audit trail, scopes access by namespace, and enforces your constraints — so you always know which agent made which decision, without adding friction to the engineering workflow.
Every operation in memnos is authenticated, namespace-scoped and audit-logged. Every memory is stamped with its author — the authenticated principal, set server-side from the token, never client-supplied — so it can't be spoofed, and it's surfaced in recall so you always know which agent (and which teammate) learned what. Every consolidated fact keeps provenance links to the raw episodes it came from.
{
"id": 48121,
"text": "Selected PostgreSQL + pgvector over Neo4j
for multi-model support",
"kind": "proposition",
"namespace": "org:acme:architecture",
"author": "arch-agent", // stamped server-side
"valid_from": "2026-03-15T10:23:44Z",
"valid_to": null,
"provenance": { "episodes": [9143, 9150] },
"audit": {
"principal": "arch-agent",
"op": "/remember",
"ts": "2026-03-15T10:23:44Z",
"status": 200
}
}
// the author is the authenticated principal — a body-supplied
// author is ignored, so you can't spoof who learned something
Prove to auditors which AI agents made which decisions. The full provenance chain — agent, session, tool, commit — is queryable forever. Not just a log; a structured memory store.
When something goes wrong, trace the decision back to the exact agent session and git commit that produced it. Understand the context that existed when the decision was made.
Know which team, which tool, which git commit produced each memory. In an AI-assisted world, accountability requires that every machine action be traceable to a human decision point.
Detect when agents are behaving outside expected parameters. Query for agents writing unusual memory patterns, accessing namespaces unexpectedly, or making decisions outside their defined scope.
Not all agents should see all memories. Namespace ACLs give you surgical control over what each agent can read and write — mapped directly to your team structure.
org:acme ← company root org:acme:engineering ← all engineering org:acme:engineering:backend ← backend team org:acme:engineering:mobile ← mobile team org:acme:engineering:infra ← infra team org:acme:security ← security (restricted) org:acme:finance ← finance (isolated)
Each API key is scoped to one or more namespaces with read or read/write permissions
Parent namespace keys can read child namespaces — but not vice versa
API keys are revocable instantly — decommission a compromised agent in seconds
Every access is logged — read and write operations on each namespace are auditable
Backend dev agents
token: mnk_backend_…
Architecture agents
token: mnk_arch_…
Oncall / incident agents
token: mnk_oncall_…
CI / audit agents
token: mnk_ci_…
AES-256-GCM encrypted vault integrated directly with your memory infrastructure. Secrets stored, accessed, rotated, and audited alongside the knowledge that uses them.
Every secret is encrypted with AES-256 in GCM mode before writing to storage. Even if your memnos database is compromised, secrets cannot be read without the encryption key.
Credential patterns are automatically detected and redacted from memory writes. An agent cannot accidentally store a database password as a fact memory — the vault layer intercepts it.
Rotate the vault’s encryption key with one command (memnos secret rotate) — every stored secret is re-encrypted under the new key. Per-secret versioned rotation with grace periods is on the roadmap.
Vault operations go through the same authenticated, audit-logged control plane as every other memnos call — principal, operation and timestamp recorded in the audit log.
# Generate the vault master key (stored in your config, mode 0600)
memnos secret keygen
# Store a secret — AES-256-GCM encrypted at rest
memnos secret set prod_db_password --desc "primary DB"
# List (names + metadata only — never values)
memnos secret ls
# Rotate the master key — re-encrypts every secret
memnos secret rotate
# Remove a secret
memnos secret rm prod_db_password
# Ingest redaction is automatic: API keys, JWTs, PEM blocks and
# passwords are stripped BEFORE text ever enters memory
Architecture governance shouldn't require a human reviewer to catch every violation. memnos's corpus checker runs your documented architecture against every code change — automatically, in CI, before it merges.
Violations block the PR — zero exceptions
Violations annotate the PR with a warning comment
Informational — suggests best practices, doesn't block
All PHI data SHALL be encrypted at rest using AES-256 or stronger. Unencrypted PHI storage is a HIPAA violation.
score: 0.94 · section: Data Protection
Services SHOULD include correlation IDs in all log entries for distributed tracing support.
score: 0.87 · section: Logging Standards
APIs MAY return paginated results using cursor-based pagination rather than offset-based for large collections.
score: 0.72 · section: Response Patterns
Whether your team uses Claude Code, Codex, Cursor, GPT-5, Llama, or Gemini — all agents write to the same policy-governed memory layer with the same audit trail. Switch models without losing policy enforcement.
| Model | Integration | Status |
|---|---|---|
|
C
Claude Code / Claude
|
hooks · MCP · REST | Supported |
|
G
GPT-5 / GPT-4o · Codex (OpenAI)
|
proxy · REST SDK | Supported |
|
L
Llama 3, Mistral (Ollama)
|
REST SDK | Supported |
|
G
Gemini (Google)
|
REST SDK | Supported |
|
*
Any custom LLM
|
REST API (HTTP) | Supported |
The policy layer is model-agnostic by design. Your organization's audit requirements, access policies, and architecture rules apply equally to all agents — regardless of which LLM they run on.
memnos is Apache-2.0 licensed and fully self-hostable. Your team's memory store belongs to you — not a vendor. Export, migrate, and restore with complete fidelity.
Standard PostgreSQL backup & restore
All memories, edges, metadata and provenance are plain Postgres tables — pg_dump is a complete, portable backup.
Restore to any memnos installation
Cloud to on-prem, region migration, disaster recovery — restore the dump anywhere; whole namespaces can also be copied or moved with one command.
All edges, metadata, and provenance preserved
Graph structure is fully exported — not just content nodes but all relationships and connection metadata.
Apache-2.0 licensed — no vendor dependency
memnos is open source under Apache-2.0. Fork it, modify it, self-host it. Your team's memory is not dependent on our continued operation.
# Your memory is rows in YOUR PostgreSQL — back it up like one
pg_dump -Fc memnos > acme-backup-2026-06-10.dump
# Restore on any other installation
pg_restore -d memnos acme-backup-2026-06-10.dump
# Copy or move a whole namespace between scopes
memnos namespace copy org:acme:eng --to org:acme:platform
memnos namespace move proj:pilot --to org:acme:eng
# Or pull memories across namespaces you can read
# (copy_memories_from — MCP / REST)
memnos's policy features are not add-ons — they're the foundation. Audit trails, ACLs, and architecture enforcement are built into every memory write, from day one.