Memotrust
FreeNot checkedVerified memory for AI agents — agents propose memories that are quarantined until verified against evidence, and recall() returns only trusted, fresh, and in-s
About
Verified memory for AI agents — agents propose memories that are quarantined until verified against evidence, and recall() returns only trusted, fresh, and in-scope facts, preventing poisoned or hallucinated data from spreading.
README
memotrust
Verified memory for AI agents. Your agents remember only what's true.
Agents propose memories. Evidence verifies them. recall() returns only what has earned trust, so a hallucinated, stale, or poisoned "fact" never reaches your other agents.

Why memotrust
Give your agents a shared memory and it's a superpower, until one agent hallucinates a fact, copies a stale number, or reads a poisoned note. In every other memory layer, that mistake becomes every agent's "truth", silently, forever. (Memory poisoning is OWASP agentic risk ASI06.)
memotrust flips the default: nothing is trusted on arrival. A memory reaches recall() only after it's verified against a real source or approved by a human. Trust decays. Disputes withhold. Every verdict keeps a receipt.
What's inside
recall() returns only verified, fresh, in-scope memory, ranked. No guesses, no stale wins. |
|
| Every agent, Claude Code, Cursor, any MCP client, reads and writes the same store. Git-backed, so what your agents know is versioned, diffable, and portable. | |
| Every new memory is quarantined until proven. One agent's bad note can't become another's fact. | |
| Read-only checks that turn a claim into trusted knowledge: built in, or connected to a source of truth. | |
| Confirm domain claims against live data. Mixpanel built-in; connect any read-only MCP source. | |
| A local UI to review, approve, dispute, and manage every memory and every verifier connection. | |
| Every verdict records the query, the reading, and the judgment. Audit why anything is trusted. | |
| Markdown claims plus an append-only log, git-backed. Human-readable, diffable, no database. |
One memory, every agent
memotrust is the shared source of truth for your whole agent fleet. Claude Code, Cursor, and every MCP client read and write the same store, so a fact one agent proves, all of them can trust.
And because it's git-backed, that memory is versioned, diffable, and portable: branch it, review it, roll it back, sync it however you sync code. It's the home for everything your agents know, and every line of it has earned its place.
Quick start
npx memotrust install # create the store, git-init it, register the MCP with your agent
Point Claude Code, Cursor, or any MCP client at it, and your agents can propose and recall. The dashboard comes up at http://localhost:8765.
The dashboard
Everything your agents know, and exactly how much of it is proven. Review the inbox, approve or dispute at a glance, watch trust coverage, and audit any claim's full evidence chain.
MCP verifiers, read-only
A verifier confirms or refutes a claim against a source of truth. It is always read-only: it can query, never write, update, or delete.
- Built in, zero credentials. Check a claim against a file, a URL, or a command:
check: {"kind": "file", "path": "package.json", "contains": "pnpm"} check: {"kind": "url", "url": "https://api.example.com/health", "status": 200} - Connect a source of truth. Mixpanel is built-in (a read-scoped service account confirms growth and metric claims). Connect any other read-only MCP data source, or let your agent submit a read-only observation, and memotrust decides the verdict, the agent never can.
- Human approval. Anything you'd rather confirm yourself, in one click.
commandchecks are disabled by default: a poisoned claim must never become code execution. Opt in withMEMOTRUST_ALLOW_COMMAND_CHECKS=1.
How it works
There is no LLM inside the store: your agent extracts durable facts and proposes them over MCP; memotrust only ever judges the evidence and records the receipt.
The tools your agent gets
| Tool | What it does |
|---|---|
recall |
Only trusted + fresh + in-scope memory; disproven approaches come back as warnings |
propose |
File a new memory; it lands quarantined, never trusted on arrival |
search |
Everything at any trust level, each result labeled with its status |
vocabulary |
Existing spaces + tags, so agents reuse names instead of inventing synonyms |
pending_verifications |
Claims that carry a machine-checkable assertion, awaiting a reading |
submit_evidence |
Submit a read-only observation; memotrust judges, not the agent |
memotrust vs. a plain memory layer
| plain memory | memotrust | |
|---|---|---|
| New memory is… | trusted immediately | quarantined until verified |
| Hallucinated / poisoned note | served to every agent | withheld, never recalled |
| Stale facts | linger and win | decay after 60 days, re-verify |
| "We already tried that" | forgotten | returned as a warning |
| Why is this trusted? | ¯\_(ツ)_/¯ | an auditable receipt |
Contributing
Issues and PRs welcome. npm test runs the store + verifier suite; npm run test:e2e runs the end-to-end MCP acceptance test. House style: docs/code-style.md.
If verified memory is something your agents need, ⭐ star the repo. It helps a lot.
MIT · built for the Model Context Protocol
Install Memotrust in Claude Desktop, Claude Code & Cursor
unyly install memotrustInstalls into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.
First time? Get the CLI: curl -fsSL https://unyly.org/install | sh
Or configure manually
Run in your terminal:
claude mcp add memotrust -- npx -y memotrustFAQ
Is Memotrust MCP free?
Yes, Memotrust MCP is free — one-click install via Unyly at no cost.
Does Memotrust need an API key?
No, Memotrust runs without API keys or environment variables.
Is Memotrust hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Memotrust in Claude Desktop, Claude Code or Cursor?
Open Memotrust on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
by modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
by xuzexin-hzCompare Memotrust with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All ai MCPs
