Skip to main content

Trust-gated memory for AI agents: guesses can't act.

Project description

AI Memory Firewall

tests

Trust-gated memory for AI agents. Internal AI analysis is the lowest authority — an agent's own words are not evidence.

The problem

AI agents poison their own memory. They store guesses, summaries, and inferences as if they were facts, retrieve them later with full confidence, and act on them. A guess written on Monday reads as truth on Wednesday — and everything built on it inherits the poison.

The rule

Every claim carries exactly one trust label — Verified, Reported, or Guessed — and guesses can't act. A guess can be read, discussed, and stored, but it cannot update the record, send the email, or drive an action until something external confirms it.

The architecture

Claims enter through the Claim Check layer, which decides what a claim is worth. Trust is only upgraded by the Ground Truth layer, which settles claims against reality via outcome receipts — and receipts are signed and hash-linked, so trust cannot be self-asserted or history rewritten (memory_firewall/signing.py).

Three doors

You want to… Go to Setup
Use it now — any model, zero install prompts/ — quick prompt, Claude Skill, coding-agent rules, human templates 60 seconds
Build with it — enforce in code, or install as an MCP server memory_firewall/ — the runtime package; MCP: prompts/mcp/ pip install "memory-firewall[mcp]"
Deploy it — unforgeable provenance memory_firewall/signing.py — signed receipts, provenance chains Key management required

Same labels at every level; only the guarantee gets stronger. Full tier architecture: TIERS.md. Detailed instructions with four worked use cases per tier, including copy-paste prompts: USAGE.md.

Benchmark

Scored against its own 50-case adversarial dataset: 0% attack success rate vs. 100% for a no-firewall baseline — zero of 37 adversarial cases were allowed to drive an action. Reproduce it from an installed package:

pip install memory-firewall
python -m memory_firewall.benchmark           # or: memory-firewall-benchmark

Full numbers and the honest precision tradeoff: BENCHMARK.md.

Status

Early public restructure, moving fast. Shipped: the Level 1 prompt pack, the Claim Check runtime with a tiered (rules + model-judge) classifier, signed outcome receipts enforced at the action gate (in code and in the packaged store/MCP), the scored benchmark, and an installable MCP server. All tests run in CI on every push.

Related work

Memory poisoning is a standardized threat (OWASP ASI06:2026 — Memory & Context Poisoning) with a live attack literature (MINJA, AgentPoison). How this firewall relates to those attacks and to guardrail tools like Meta's LlamaFirewall — and what is novel here — is in RELATED_WORK.md.

Lineage

Formerly developed as the ACF/BOS Memory Firewall (research archive). The old acronyms survive only in this note: ACF is now the Claim Check layer; the outcome-resolution layer is now the Ground Truth layer.

License

Licensed under the Apache License 2.0 — free to use, modify, and build on, including commercially, with a patent grant and no copyleft. Copyright 2026 CREATORSEAL CORPORATION; see NOTICE. The Apache license covers the code, schemas, and prompt packs in this repository; the "Memory Firewall" and "CreatorSeal" names are not licensed for use in a way that implies endorsement (Apache 2.0 §6).

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

memory_firewall-0.1.0.tar.gz (69.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

memory_firewall-0.1.0-py3-none-any.whl (45.9 kB view details)

Uploaded Python 3

File details

Details for the file memory_firewall-0.1.0.tar.gz.

File metadata

  • Download URL: memory_firewall-0.1.0.tar.gz
  • Upload date:
  • Size: 69.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for memory_firewall-0.1.0.tar.gz
Algorithm Hash digest
SHA256 6ec816e883da8e8535ad930a5fd9f8d3cebdd3e6d9fb640701a2ca46dcab0847
MD5 5df750b9630384acfb65860c4105f570
BLAKE2b-256 82aecfc018b8adfadd3787b98e263130624f96a5c8b2fcd936305f9a50f383bb

See more details on using hashes here.

Provenance

The following attestation bundles were made for memory_firewall-0.1.0.tar.gz:

Publisher: publish.yml on TanyaWBM1/AI-Memory-Firewall

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file memory_firewall-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for memory_firewall-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b4ebc749d17f3076eeeff62aa465f0a2d38b6462bd451a07fa9144d72bdd4239
MD5 077538b76739b1a3058707e0e3f58b80
BLAKE2b-256 e878676124d062dc8da73205e502f6400a5a52b65fe8e2a4624ccf1ced45b4e9

See more details on using hashes here.

Provenance

The following attestation bundles were made for memory_firewall-0.1.0-py3-none-any.whl:

Publisher: publish.yml on TanyaWBM1/AI-Memory-Firewall

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page