Trust-gated memory for AI agents: guesses can't act.
Project description
AI Memory Firewall
Trust-gated memory for AI agents. Internal AI analysis is the lowest authority — an agent's own words are not evidence.
The problem
AI agents poison their own memory. They store guesses, summaries, and inferences as if they were facts, retrieve them later with full confidence, and act on them. A guess written on Monday reads as truth on Wednesday — and everything built on it inherits the poison.
The rule
Every claim carries exactly one trust label — Verified, Reported, or Guessed — and guesses can't act. A guess can be read, discussed, and stored, but it cannot update the record, send the email, or drive an action until something external confirms it.
The architecture
Claims enter through the Claim Check layer, which decides what a claim
is worth. Trust is only upgraded by the Ground Truth layer, which
settles claims against reality via outcome receipts — and receipts are
signed and hash-linked, so trust cannot be self-asserted or history
rewritten (memory_firewall/signing.py).
Three doors
| You want to… | Go to | Setup |
|---|---|---|
| Use it now — any model, zero install | prompts/ — quick prompt, Claude Skill, coding-agent rules, human templates | 60 seconds |
| Build with it — enforce in code, or install as an MCP server | memory_firewall/ — the runtime package; MCP: prompts/mcp/ | pip install "memory-firewall[mcp]" |
| Deploy it — unforgeable provenance | memory_firewall/signing.py — signed receipts, provenance chains | Key management required |
Same labels at every level; only the guarantee gets stronger. Full tier architecture: TIERS.md. Detailed instructions with four worked use cases per tier, including copy-paste prompts: USAGE.md.
Benchmark
Scored against its own 50-case adversarial dataset: 0% attack success rate vs. 100% for a no-firewall baseline — zero of 37 adversarial cases were allowed to drive an action. Reproduce it from an installed package:
pip install memory-firewall
python -m memory_firewall.benchmark # or: memory-firewall-benchmark
Full numbers and the honest precision tradeoff: BENCHMARK.md.
Status
Early public restructure, moving fast. Shipped: the Level 1 prompt pack, the Claim Check runtime with a tiered (rules + model-judge) classifier, signed outcome receipts enforced at the action gate (in code and in the packaged store/MCP), the scored benchmark, and an installable MCP server. All tests run in CI on every push.
Related work
Memory poisoning is a standardized threat (OWASP ASI06:2026 — Memory & Context Poisoning) with a live attack literature (MINJA, AgentPoison). How this firewall relates to those attacks and to guardrail tools like Meta's LlamaFirewall — and what is novel here — is in RELATED_WORK.md.
Lineage
Formerly developed as the ACF/BOS Memory Firewall (research archive). The old acronyms survive only in this note: ACF is now the Claim Check layer; the outcome-resolution layer is now the Ground Truth layer.
License
Licensed under the Apache License 2.0 — free to use, modify, and build on, including commercially, with a patent grant and no copyleft. Copyright 2026 CREATORSEAL CORPORATION; see NOTICE. The Apache license covers the code, schemas, and prompt packs in this repository; the "Memory Firewall" and "CreatorSeal" names are not licensed for use in a way that implies endorsement (Apache 2.0 §6).
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file memory_firewall-0.1.0.tar.gz.
File metadata
- Download URL: memory_firewall-0.1.0.tar.gz
- Upload date:
- Size: 69.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6ec816e883da8e8535ad930a5fd9f8d3cebdd3e6d9fb640701a2ca46dcab0847
|
|
| MD5 |
5df750b9630384acfb65860c4105f570
|
|
| BLAKE2b-256 |
82aecfc018b8adfadd3787b98e263130624f96a5c8b2fcd936305f9a50f383bb
|
Provenance
The following attestation bundles were made for memory_firewall-0.1.0.tar.gz:
Publisher:
publish.yml on TanyaWBM1/AI-Memory-Firewall
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
memory_firewall-0.1.0.tar.gz -
Subject digest:
6ec816e883da8e8535ad930a5fd9f8d3cebdd3e6d9fb640701a2ca46dcab0847 - Sigstore transparency entry: 2121113760
- Sigstore integration time:
-
Permalink:
TanyaWBM1/AI-Memory-Firewall@1b0573fefde8e6a9459982dc7b01cbf21b59a5ca -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/TanyaWBM1
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@1b0573fefde8e6a9459982dc7b01cbf21b59a5ca -
Trigger Event:
release
-
Statement type:
File details
Details for the file memory_firewall-0.1.0-py3-none-any.whl.
File metadata
- Download URL: memory_firewall-0.1.0-py3-none-any.whl
- Upload date:
- Size: 45.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b4ebc749d17f3076eeeff62aa465f0a2d38b6462bd451a07fa9144d72bdd4239
|
|
| MD5 |
077538b76739b1a3058707e0e3f58b80
|
|
| BLAKE2b-256 |
e878676124d062dc8da73205e502f6400a5a52b65fe8e2a4624ccf1ced45b4e9
|
Provenance
The following attestation bundles were made for memory_firewall-0.1.0-py3-none-any.whl:
Publisher:
publish.yml on TanyaWBM1/AI-Memory-Firewall
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
memory_firewall-0.1.0-py3-none-any.whl -
Subject digest:
b4ebc749d17f3076eeeff62aa465f0a2d38b6462bd451a07fa9144d72bdd4239 - Sigstore transparency entry: 2121114244
- Sigstore integration time:
-
Permalink:
TanyaWBM1/AI-Memory-Firewall@1b0573fefde8e6a9459982dc7b01cbf21b59a5ca -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/TanyaWBM1
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@1b0573fefde8e6a9459982dc7b01cbf21b59a5ca -
Trigger Event:
release
-
Statement type: