Security Pipeline
Every memory passes through three independent security layers before reaching persistent storage. The layers operate sequentially and produce auditable outputs.
On this page
Design Principles
- Defense in depth — Each layer addresses a different attack vector
- Fail-closed — Any layer failure rejects the entire operation
- Independent — Layers do not share state or depend on each other’s output (except data flow)
- Auditable — Every layer produces a structured audit payload
- Configurable — Layers 1 and 2 can be disabled; Layer 3 is always active
Layer 1: Semantic Privacy Guard™
Content-level PII detection and redaction.
| Property | Value |
|---|---|
| Detection method | Regex pattern matching (12+ categories) |
| Categories | Email, phone, SSN, credit card, API key, IP address, URL, and more |
| Redaction format | [TYPE_REDACTED] placeholders |
| Forensic hashing | SHA-256 hash of each redacted value (audit without retention) |
| Aggressive mode | Strips proper nouns (anti-inference protection) |
| Configurable | Yes — sanitize_enabled |
Warning
Layer 2: Differential Privacy
Embedding-level privacy via calibrated Gaussian noise.
| Property | Value |
|---|---|
| Mechanism | Analytic Gaussian mechanism |
| Target | Embedding vectors (1536 dimensions) |
| Privacy budget | ε ∈ [0.01, 10.0], default 0.5 |
| Post-processing | L2 normalization after noise injection |
| Audit output | ε, σ (noise sigma), SNR (dB) |
| Configurable | Yes — privacy_enabled, privacy_epsilon |
Layer 3: Intelligent Intent Validation™
Semantic-level intent classification with safety promotion.
| Property | Value |
|---|---|
| Categories | 6 (preference, fact, procedural, bio, ephemeral, critical) |
| Classification method | Two-step: keyword heuristics + confidence gate |
| Critical promotion | Automatic for safety-critical keywords |
| Self-healing | Adjusts conflicting classifications |
| Configurable | No — always active, cannot be disabled |
Encryption at Rest
After passing through the security pipeline, the processed content is encrypted with AES-256-GCM before being written to the database. This is not a pipeline "layer" in the strict sense — it is a storage-level protection applied after all pipeline stages complete.
Each encryption operation uses a random 12-byte IV. The GCM authentication tag (16 bytes) is validated on every read, ensuring tamper detection.
Pipeline Audit Output
Every store() operation returns a comprehensive audit payload covering all three layers. This enables agents to verify exactly what happened to their data:
sanitization_details— PII count, risk score, items removedprivacy_details— ε, σ, SNRvalidation_details— intent, confidence, source type, is_criticaltrust_quotient— computed TQ score