Metadata-Version: 2.4
Name: memory-firewall
Version: 0.1.0
Summary: Trust-gated memory for AI agents: guesses can't act.
Author: CREATORSEAL CORPORATION
License-Expression: Apache-2.0
Project-URL: Homepage, https://github.com/TanyaWBM1/AI-Memory-Firewall
Keywords: ai,agents,memory,security,trust,mcp,prompt-injection
Classifier: Programming Language :: Python :: 3
Classifier: Intended Audience :: Developers
Classifier: Topic :: Security
Requires-Python: >=3.11
Description-Content-Type: text/markdown
License-File: LICENSE
License-File: NOTICE
Provides-Extra: signing
Requires-Dist: cryptography>=42.0; extra == "signing"
Provides-Extra: judge
Requires-Dist: anthropic>=0.40; extra == "judge"
Provides-Extra: mcp
Requires-Dist: mcp>=1.2; extra == "mcp"
Provides-Extra: schema
Requires-Dist: jsonschema>=4.21; extra == "schema"
Provides-Extra: dev
Requires-Dist: cryptography>=42.0; extra == "dev"
Requires-Dist: jsonschema>=4.21; extra == "dev"
Requires-Dist: mcp>=1.2; extra == "dev"
Requires-Dist: anyio>=4.0; extra == "dev"
Requires-Dist: pytest>=8.0; extra == "dev"
Requires-Dist: pytest-anyio>=0.0.0; extra == "dev"
Dynamic: license-file

# AI Memory Firewall

![tests](https://github.com/TanyaWBM1/AI-Memory-Firewall/actions/workflows/tests.yml/badge.svg)

> **Trust-gated memory for AI agents.**
> Internal AI analysis is the lowest authority — an agent's own words are not evidence.

## The problem

AI agents poison their own memory. They store guesses, summaries, and
inferences as if they were facts, retrieve them later with full confidence,
and act on them. A guess written on Monday reads as truth on Wednesday —
and everything built on it inherits the poison.

## The rule

Every claim carries exactly one trust label — **Verified**, **Reported**, or
**Guessed** — and **guesses can't act**. A guess can be read, discussed, and
stored, but it cannot update the record, send the email, or drive an action
until something external confirms it.

## The architecture

Claims enter through the **Claim Check layer**, which decides what a claim
is worth. Trust is only upgraded by the **Ground Truth layer**, which
settles claims against reality via **outcome receipts** — and receipts are
signed and hash-linked, so trust cannot be self-asserted or history
rewritten (`memory_firewall/signing.py`).

## Three doors

| You want to… | Go to | Setup |
|---|---|---|
| **Use it now** — any model, zero install | [prompts/](https://github.com/TanyaWBM1/AI-Memory-Firewall/tree/main/prompts) — quick prompt, Claude Skill, coding-agent rules, human templates | 60 seconds |
| **Build with it** — enforce in code, or install as an MCP server | [memory_firewall/](https://github.com/TanyaWBM1/AI-Memory-Firewall/tree/main/memory_firewall) — the runtime package; MCP: [prompts/mcp/](https://github.com/TanyaWBM1/AI-Memory-Firewall/tree/main/prompts/mcp) | `pip install "memory-firewall[mcp]"` |
| **Deploy it** — unforgeable provenance | [memory_firewall/signing.py](https://github.com/TanyaWBM1/AI-Memory-Firewall/blob/main/memory_firewall/signing.py) — signed receipts, provenance chains | Key management required |

Same labels at every level; only the guarantee gets stronger. Full tier
architecture:
[TIERS.md](https://github.com/TanyaWBM1/AI-Memory-Firewall/blob/main/TIERS.md).
Detailed instructions with four worked use cases per tier, including
copy-paste prompts:
[USAGE.md](https://github.com/TanyaWBM1/AI-Memory-Firewall/blob/main/USAGE.md).

## Benchmark

Scored against its own 50-case adversarial dataset: **0% attack success rate
vs. 100% for a no-firewall baseline** — zero of 37 adversarial cases were
allowed to drive an action. Reproduce it from an installed package:

```bash
pip install memory-firewall
python -m memory_firewall.benchmark           # or: memory-firewall-benchmark
```

Full numbers and the honest precision tradeoff:
[BENCHMARK.md](https://github.com/TanyaWBM1/AI-Memory-Firewall/blob/main/BENCHMARK.md).

## Status

Early public restructure, moving fast. Shipped: the Level 1 prompt pack, the
Claim Check runtime with a tiered (rules + model-judge) classifier, signed
outcome receipts enforced at the action gate (in code and in the packaged
store/MCP), the scored benchmark, and an installable MCP server. All tests
run in CI on every push.

## Related work

Memory poisoning is a standardized threat (OWASP **ASI06:2026 — Memory &
Context Poisoning**) with a live attack literature (MINJA, AgentPoison). How
this firewall relates to those attacks and to guardrail tools like Meta's
LlamaFirewall — and what is novel here — is in
[RELATED_WORK.md](https://github.com/TanyaWBM1/AI-Memory-Firewall/blob/main/RELATED_WORK.md).

## Lineage

Formerly developed as the ACF/BOS Memory Firewall
([research archive](https://github.com/TanyaWBM1/ACF-BOS-Memory-Firewall)).
The old acronyms survive only in this note: ACF is now the **Claim Check
layer**; the outcome-resolution layer is now the **Ground Truth layer**.

## License

Licensed under the
[Apache License 2.0](https://github.com/TanyaWBM1/AI-Memory-Firewall/blob/main/LICENSE)
— free to use, modify, and build on, including commercially, with a patent
grant and no copyleft. Copyright 2026 CREATORSEAL CORPORATION; see
[NOTICE](https://github.com/TanyaWBM1/AI-Memory-Firewall/blob/main/NOTICE).
The Apache license covers the code, schemas, and prompt packs in this
repository; the "Memory Firewall" and "CreatorSeal" names are not licensed
for use in a way that implies endorsement (Apache 2.0 §6).
