Security Pipeline

Every memory passes through three independent security layers before reaching persistent storage. The layers operate sequentially and produce auditable outputs.

Design Principles

  • Defense in depth — Each layer addresses a different attack vector
  • Fail-closed — Any layer failure rejects the entire operation
  • Independent — Layers do not share state or depend on each other’s output (except data flow)
  • Auditable — Every layer produces a structured audit payload
  • Configurable — Layers 1 and 2 can be disabled; Layer 3 is always active

Layer 1: Semantic Privacy Guard™

Content-level PII detection and redaction.

PropertyValue
Detection methodRegex pattern matching (12+ categories)
CategoriesEmail, phone, SSN, credit card, API key, IP address, URL, and more
Redaction format[TYPE_REDACTED] placeholders
Forensic hashingSHA-256 hash of each redacted value (audit without retention)
Aggressive modeStrips proper nouns (anti-inference protection)
ConfigurableYes — sanitize_enabled

Warning

PII detection is regex-based, not NLP-based. Context-dependent PII (e.g., a name embedded in conversational text without clear patterns) may not be detected. The aggressive mode provides stronger protection at the cost of stripping more content.

Layer 2: Differential Privacy

Embedding-level privacy via calibrated Gaussian noise.

PropertyValue
MechanismAnalytic Gaussian mechanism
TargetEmbedding vectors (1536 dimensions)
Privacy budgetε ∈ [0.01, 10.0], default 0.5
Post-processingL2 normalization after noise injection
Audit outputε, σ (noise sigma), SNR (dB)
ConfigurableYes — privacy_enabled, privacy_epsilon

Layer 3: Intelligent Intent Validation™

Semantic-level intent classification with safety promotion.

PropertyValue
Categories6 (preference, fact, procedural, bio, ephemeral, critical)
Classification methodTwo-step: keyword heuristics + confidence gate
Critical promotionAutomatic for safety-critical keywords
Self-healingAdjusts conflicting classifications
ConfigurableNo — always active, cannot be disabled

Encryption at Rest

After passing through the security pipeline, the processed content is encrypted with AES-256-GCM before being written to the database. This is not a pipeline "layer" in the strict sense — it is a storage-level protection applied after all pipeline stages complete.

Each encryption operation uses a random 12-byte IV. The GCM authentication tag (16 bytes) is validated on every read, ensuring tamper detection.

Pipeline Audit Output

Every store() operation returns a comprehensive audit payload covering all three layers. This enables agents to verify exactly what happened to their data:

  • sanitization_details — PII count, risk score, items removed
  • privacy_details — ε, σ, SNR
  • validation_details — intent, confidence, source type, is_critical
  • trust_quotient — computed TQ score