Command Palette

Search for a command to run...

UnylyUnyly
Browse all

Memotrust

FreeNot checked

Verified memory for AI agents — agents propose memories that are quarantined until verified against evidence, and recall() returns only trusted, fresh, and in-s

GitHubEmbed

About

Verified memory for AI agents — agents propose memories that are quarantined until verified against evidence, and recall() returns only trusted, fresh, and in-scope facts, preventing poisoned or hallucinated data from spreading.

README

memotrust

memotrust

Verified memory for AI agents. Your agents remember only what's true.

npm license MCP stars

Agents propose memories. Evidence verifies them. recall() returns only what has earned trust, so a hallucinated, stale, or poisoned "fact" never reaches your other agents.


An agent proposes memories; a poisoned one is caught at the gate while verified memory flows to every agent.

Why memotrust

Give your agents a shared memory and it's a superpower, until one agent hallucinates a fact, copies a stale number, or reads a poisoned note. In every other memory layer, that mistake becomes every agent's "truth", silently, forever. (Memory poisoning is OWASP agentic risk ASI06.)

memotrust flips the default: nothing is trusted on arrival. A memory reaches recall() only after it's verified against a real source or approved by a human. Trust decays. Disputes withhold. Every verdict keeps a receipt.

What's inside

  Trusted recall recall() returns only verified, fresh, in-scope memory, ranked. No guesses, no stale wins.
  One shared memory Every agent, Claude Code, Cursor, any MCP client, reads and writes the same store. Git-backed, so what your agents know is versioned, diffable, and portable.
  Poison can't spread Every new memory is quarantined until proven. One agent's bad note can't become another's fact.
  MCP Verifiers Read-only checks that turn a claim into trusted knowledge: built in, or connected to a source of truth.
  Read-only connectors Confirm domain claims against live data. Mixpanel built-in; connect any read-only MCP source.
  Dashboard A local UI to review, approve, dispute, and manage every memory and every verifier connection.
  Receipts, not vibes Every verdict records the query, the reading, and the judgment. Audit why anything is trusted.
  Just files Markdown claims plus an append-only log, git-backed. Human-readable, diffable, no database.

One memory, every agent

memotrust is the shared source of truth for your whole agent fleet. Claude Code, Cursor, and every MCP client read and write the same store, so a fact one agent proves, all of them can trust.

And because it's git-backed, that memory is versioned, diffable, and portable: branch it, review it, roll it back, sync it however you sync code. It's the home for everything your agents know, and every line of it has earned its place.

Quick start

npx memotrust install     # create the store, git-init it, register the MCP with your agent

Point Claude Code, Cursor, or any MCP client at it, and your agents can propose and recall. The dashboard comes up at http://localhost:8765.

The dashboard

Everything your agents know, and exactly how much of it is proven. Review the inbox, approve or dispute at a glance, watch trust coverage, and audit any claim's full evidence chain.

memotrust dashboard: memories grouped by trust (verified, proposed, disproven, approved) with an inbox and live trust coverage.

MCP verifiers, read-only

A verifier confirms or refutes a claim against a source of truth. It is always read-only: it can query, never write, update, or delete.

  • Built in, zero credentials. Check a claim against a file, a URL, or a command:
    check: {"kind": "file", "path": "package.json", "contains": "pnpm"}
    check: {"kind": "url",  "url": "https://api.example.com/health", "status": 200}
    
  • Connect a source of truth. Mixpanel is built-in (a read-scoped service account confirms growth and metric claims). Connect any other read-only MCP data source, or let your agent submit a read-only observation, and memotrust decides the verdict, the agent never can.
  • Human approval. Anything you'd rather confirm yourself, in one click.
Verifiers page: read-only connectors (Mixpanel, Amplitude, PostHog, GitHub, Human approval) that turn proposed memories into trusted knowledge.

command checks are disabled by default: a poisoned claim must never become code execution. Opt in with MEMOTRUST_ALLOW_COMMAND_CHECKS=1.

How it works

Flow: an agent proposes a memory, it is quarantined, memotrust judges the evidence and records a receipt, and only trusted memory is recalled. A 60-day decay or a human dispute sends it back to withheld.

There is no LLM inside the store: your agent extracts durable facts and proposes them over MCP; memotrust only ever judges the evidence and records the receipt.

The tools your agent gets

Tool What it does
recall Only trusted + fresh + in-scope memory; disproven approaches come back as warnings
propose File a new memory; it lands quarantined, never trusted on arrival
search Everything at any trust level, each result labeled with its status
vocabulary Existing spaces + tags, so agents reuse names instead of inventing synonyms
pending_verifications Claims that carry a machine-checkable assertion, awaiting a reading
submit_evidence Submit a read-only observation; memotrust judges, not the agent

memotrust vs. a plain memory layer

plain memory memotrust
New memory is… trusted immediately quarantined until verified
Hallucinated / poisoned note served to every agent withheld, never recalled
Stale facts linger and win decay after 60 days, re-verify
"We already tried that" forgotten returned as a warning
Why is this trusted? ¯\_(ツ)_/¯ an auditable receipt

Contributing

Issues and PRs welcome. npm test runs the store + verifier suite; npm run test:e2e runs the end-to-end MCP acceptance test. House style: docs/code-style.md.

If verified memory is something your agents need, ⭐ star the repo. It helps a lot.

MIT · built for the Model Context Protocol

from github.com/Idanref/memotrust

Install Memotrust in Claude Desktop, Claude Code & Cursor

Recommended · one command, every IDE
unyly install memotrust

Installs into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.

First time? Get the CLI: curl -fsSL https://unyly.org/install | sh

Or configure manually

Run in your terminal:

claude mcp add memotrust -- npx -y memotrust

FAQ

Is Memotrust MCP free?

Yes, Memotrust MCP is free — one-click install via Unyly at no cost.

Does Memotrust need an API key?

No, Memotrust runs without API keys or environment variables.

Is Memotrust hosted or self-hosted?

Self-hosted: the server runs locally on your machine via the install command above.

How do I install Memotrust in Claude Desktop, Claude Code or Cursor?

Open Memotrust on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.

Related MCPs

Compare Memotrust with

Not sure what to pick?

Find your stack in 60 seconds

Author?

Embed badge for your README

Browse similar

All ai MCPs