Assist Memory
БесплатноНе проверенAn MCP server that provides a shared memory layer for Claude across claude.ai, Claude Code CLI, and Desktop, storing revisioned memory entries, session timeline
Описание
An MCP server that provides a shared memory layer for Claude across claude.ai, Claude Code CLI, and Desktop, storing revisioned memory entries, session timelines, handoffs, and uploaded artifacts in SQLite.
README
A generic, project-agnostic memory / coordination / artifact server for multi-agent and multi-surface work. One FastAPI process serves a 23-tool MCP over Streamable HTTP, backed by Postgres (+ pgvector), deployed standalone on a Replit Reserved VM.
This is Tier 1 of the reusability contract: every project reuses it as-is. It carries zero domain terms — project identity lives in namespace values, never in tool names, tables, columns, or code.
Capabilities at a glance
- 23-tool MCP over Streamable HTTP (memory, handoff, session, artifact, coordination, feedback, admin).
- Trust-boundary spine (Plan v2) — actor-scoped exactly-once writes with
visible dedup, read-back-verified acks (
verified_persisted), standardized error payloads with remedies, write-time screening + quarantine, provenance tiers (origin, model attribution,derived_fromlineage), trust decay (needs_reverification), PHI-safetool_eventstelemetry, per-namespace variant profiles, and anobservation_logfeedback channel. - Namespace-scoped multi-tenancy — every per-project query filters on
namespace. - Resilient to transient DB drops — the server transparently retries genuine
connection losses (Neon scale-down / PgBouncer recycle, SQLSTATE
57P01/08xxx) on a fresh pooled connection, and validates connections at checkout, so callers no longer have to retry. Retries are idempotency-gated, so they never double-write. - Prompt-injection resistance layer — values are sanitized on write (forged
markers are escaped one-way to
[[UNTRUSTED_DATA]], never reconstructed on read), instruction-shaped writes are screened and quarantined (visible in the write ack;include_quarantined: trueopts reads back in), and reads come back wrapped in<<<UNTRUSTED_DATA>>>markers;storage.sanitize.unwrap_valuerecovers the raw value when a consumer needs it (e.g. tojson.loads). Honest framing: these are layers, not proofs — deterministic screens and wrappers are bypassable by an adaptive attacker; adversarial evaluation is pending (see Phase 10 backlog inDECISION-PROTOCOL.md). - Content-addressed artifacts (sha256, global dedup), 50 MB cap, ranged reads.
- Per-surface rotatable tokens (web vs. desktop-cli) managed from a password-gated
/admindashboard.
The 23 tools
| Group | Tools |
|---|---|
| memory | memory_save memory_get memory_list memory_history memory_delete memory_search |
| handoff | handoff_save handoff_load handoff_list |
| session | session_create session_append_event session_get session_list session_events |
| artifact | artifact_put artifact_get artifact_list |
| coordination | coord_health coord_drift_scan coord_reconcile coord_curate |
| feedback | observation_log |
| admin | stats |
/healthz (liveness) and the /admin token dashboard are served separately (not
MCP tools).
Tenancy — namespace is the project boundary
namespace == project == tenant. One namespace per project (e.g.
acme-billing), with conventional sub-scopes by key prefix (coord/…,
knowledge/…). Every per-project tool takes a required namespace and every
query filters on it — there are no implicit cross-project reads. The session
and session_event tables carry namespace too, so episodic memory is scoped
like everything else.
Artifacts are the deliberate exception: they are content-addressed (sha256) and dedup globally, so they are not tenant-scoped — the hash is the capability.
Honest limit (and the v2 fix)
The per-surface tokens scope which client surface connects, not which project it may touch: any holder of any active token can pass any namespace, so namespace remains a soft boundary — real isolation for honest clients, not enforced against a misbehaving one.
v2 auth roadmap — per-project tokens/roles. A token scoped to
acme-billingmust not be able to read or writeother-project. Until then, treat the namespace boundary as a convention enforced by client configuration, not by the server. (See REUSABILITY.md → "namespace is the tenant boundary".)
Auth & the /admin dashboard
MCP tokens are stored in Postgres (admin_auth_tokens) and rotatable from
/admin without a redeploy. There is one active token per surface:
| surface | label | how the client sends it |
|---|---|---|
| claude.ai web connector | web |
?token=<token> in the URL (the web connector can't send headers) |
| Claude Desktop and the Claude Code CLI | desktop-cli |
Authorization: Bearer <token> |
| Cursor | cursor |
Authorization: Bearer <token> (via .cursor/mcp.json) |
The gate accepts any active token, so each surface can be rotated or
revoked independently — rotating web never disturbs desktop-cli or
cursor. The
/admin page shows one card per surface with a ready-to-paste URL/command and
its own rotate button.
MCP_AUTH_TOKEN seeds the web token on initial boot (so an existing
claude.ai connector keeps working); desktop-cli and cursor are
auto-generated. After first boot the dashboard is the source of truth.
/adminis password-gated byADMIN_PASSWORD(signed, HttpOnly session cookie, CSRF-protected). Without it the dashboard refuses logins.- The only routes not behind the bearer gate are
GET /healthz, the streamedGET /artifact/{sha256}, and/admin(which self-authenticates).
Stateless transport. /mcp runs in stateless HTTP mode
(http_app(stateless_http=True)): every request is self-contained, with no
in-memory session affinity. Client sessions therefore survive VM
restarts/redeploys, and the three surfaces share no server-side session state.
Architecture
- One
AsyncConnectionPoolcreated in the FastAPIlifespan(app.py), injected viadeps. Nothing else opens a connection. The pool is built withcheck=AsyncConnectionPool.check_connection, so a connection terminated server-side while idle is validated and discarded on checkout, never handed to a caller. - One
config.py(pydantic-settings) — the only place secrets are read. StorageBackendABC (storage/base.py) implemented byPostgresBackend; the 18 tools map 1:1 onto it.- Transparent reconnect: reads and idempotent writes retry on a connection
drop (
_retry_on_disconnect), so e.g.OperationalError: terminating connection due to administrator command(SQLSTATE 57P01, Neon scale-down / PgBouncer) is retried on a fresh pooled connection instead of surfacing to the caller. Only genuine disconnects (08xxx/57P0x/ an already-closed connection) are retried — other operational errors (lock timeout, too-many-connections) surface unchanged. Writes retry only when a replay is safe:artifact_put(content-addressed) always, andmemory_save/handoff_save/memory_deleteonly when given anevent_id(exactly-once). Thesession_*writes also retry, with an explicit tradeoff: a drop in the narrow commit-ack window meanssession_createmay orphan an empty, unreferenced session row, andsession_append_eventis at-least-once (a replay can append one duplicate event). For an append-only session log that beats failing the call outright; a save with noevent_idstill runs once and surfaces the error. - Write-path
sanitizestrips forged delimiters/control chars; reads wrap values in<<<UNTRUSTED_DATA>>>markers (lethal-trifecta defense). Note: thevalue(and session-eventpayload) fields come back wrapped, so a consumer that needs the raw value — e.g. tojson.loadsa value that was a JSON string — must strip the markers first. Usestorage.sanitize.unwrap_value(orstrip_untrustedfor a single string); the wrapping stays applied on every read. - Bounded lifespan readiness (no unbounded
pool.wait()), 50 MB artifact cap, ranged blob reads, idempotentevent_idwrites, idempotent blob backfill. - Semantic recall (
memory_search): when aVOYAGE_API_KEYis set, everymemory_saveembeds the entry (Voyage,voyage-3.5-lite, 1024-dim) into a nullableembedding vector(1024)column with an HNSW cosine index, andmemory_searchranks live entries by meaning (embedding <=> query), then backfills keyword/substring matches up tolimit. Embedding is best-effort: it runs before a connection is taken and never blocks (or fails) a write, and with no key the column stays NULL and search degrades to pure keyword — the pre-Phase-3 behavior. Every leg filters onnamespacefirst (no cross-project recall). After enabling a key on an existing DB, embed old rows once withpython scripts/backfill_embeddings.py(idempotent, only touches NULL rows). - Recall tuning (
hnsw.ef_search): the HNSW index is approximate, so a larger store can miss relevant hits unless its query-time recall parameter is tuned.memory_searchsetshnsw.ef_searchper-statement (transaction-local, semantic leg only) fromHNSW_EF_SEARCH(default100; pgvector's own default is40). Higher = better recall, slightly slower search; it must be>=the search limit to take effect. Small stores return the same rows regardless, so the default is safe to leave alone — raise it (e.g.200) if a large tenant reports missing results, lower it toward40to shave latency. Very large tenants can also tune the index build parameters (m,ef_construction); seemigrations/0002_embeddings.sql(changing those requires recreating the index). - Coordination reconciler (
coord_reconcile): when GitHub access is available, aclaim(withmeta.repo+meta.pr/meta.branch) is resolved against live GitHub — is PR #N merged? what is branch X's head? — and stamped with an append-only verdict; without access it staysunverifiable(never a wrongcurrent). Access is sourced in priority order: an explicitGITHUB_TOKEN(read-only repo + PRs), else — on Replit — the connected GitHub account via the Replit connector (token fetched fresh per cache-window so it survives OAuth refresh), else disabled. Resolution is best-effort: a network/API failure yieldsunverifiable, never a blocked write.GITHUB_WEBHOOK_SECRETenablesPOST /webhook/githubto reconcile affected claims on push / pull_request. - Memory curator (
coord_curate): whenANTHROPIC_API_KEYis set, a finished session can be consolidated write-side:coord_curate(namespace, session_id)reads the session's execution trace plus similar existing memories, asks the model what is worth persisting, and applies the resultingADD/UPDATE/MERGE/SUPERSEDE/NOOPoperations deterministically. Every op passes a fail-closed PHI gate first, claims without provenance (meta.repo+meta.pr/branch) are downgraded to notes, supersession sets a validity boundary (history is kept, never deleted), and writes are idempotent (deterministicevent_id) so re-running a session never double-writes. It is best-effort: without the key the curator is disabled andcoord_curateis a clean no-op ({curator_enabled: false, operations: []}), and any model/parse failure yields zero operations — never a wrong write.dry_run=Truereturns the proposed operations without writing.CURATOR_MODELandCURATOR_MAX_OUTPUT_TOKENStune it. Curated rows also carry a secondhyde_embedding, somemory_searchcan match a future question (HyDE leg) as well as the stored statement.
Run locally
cp .env.example .env # DATABASE_URL + MCP_AUTH_TOKEN + ADMIN_PASSWORD
make install # pip install -c constraints.txt -e ".[test]"
make migrate # apply migrations/0001_init.sql
make run # uvicorn app:app
curl localhost:8000/healthz # {"status":"ok","db":"ok"}
# token: open http://localhost:8000/admin and sign in with ADMIN_PASSWORD
Tests (real Postgres)
The suite runs against a real Postgres and skips cleanly if DATABASE_URL is
unset. The neutral test project is proj-test (never a real project name).
DATABASE_URL=... make test
CI (.github/workflows/test.yml) spins an ephemeral Neon branch per run,
migrates it, runs pytest, and deletes the branch. Set repo secrets
NEON_API_KEY and NEON_PROJECT_ID to enable it.
Smoke test (the connector handshake)
scripts/smoke_mcp.py performs the exact handshake a Claude connector does —
initialize + tools/list over /mcp with a valid token — and asserts HTTP 200
with the full 23-tool surface, plus the guard rails (no/bad token ⇒ 401,
/healthz db ok). It exists so a transport/auth/host regression (like the
fastmcp 3.4.3 421) can never ship silently again.
Blocks a bad build: the in-process half runs in CI via
pytest(tests/test_smoke_mcp.py) against the ephemeral Neon branch — a broken handshake, gate, or tool count fails the build before it can deploy.Flags an unhealthy live deploy: run it against the deployed URL after a deploy. It exits non-zero on any failed check:
SMOKE_BASE_URL=https://<your-vm> SMOKE_TOKEN=<active token> make smoke.github/workflows/smoke.ymlruns this against a live URL on manual dispatch (or a 6-hour schedule); set repo secretsSMOKE_BASE_URLandSMOKE_TOKENto enable it (it no-ops cleanly when unset).
Deploy on Replit (Reserved VM)
- In Secrets, set
DATABASE_URL(pooled endpoint),MCP_AUTH_TOKEN, andADMIN_PASSWORD(plus optional Phase-3 keys). - Deploy as a Reserved VM (
deploymentTarget = "vm") — not Autoscale; the durability gate needs the process to persist. - The deploy
runstep runspython scripts/migrate.pythen starts uvicorn. - Open
https://<your-vm>/admin, sign in, and copy/rotate the token. Point each client athttps://<your-vm>/mcp.
Pinned dependencies (deterministic builds)
pyproject.toml declares loose ranges, but the deploy build, post-merge.sh, and
make install all pass -c constraints.txt, so prod installs the exact versions
verified in dev. This is the guardrail against the class of failure that caused the
prod /mcp 421 outage (an unpinned build silently resolving a newer fastmcp).
To intentionally upgrade a dependency (so pins don't rot):
pip install -U <pkg> # or `pip install -e .` to re-resolve a widened range
make test # AND exercise /mcp locally
make lock # regenerate constraints.txt from the verified env
# then redeploy — prod now installs the newly verified set
Never hand-edit versions in constraints.txt; always regenerate with make lock
(scripts/lock-deps.sh). The file header documents the same procedure.
Postgres / Neon
Use the pooled connection string for the running service; psycopg is
configured with prepare_threshold=None for PgBouncer transaction pooling. Tests
and scripts/migrate.py use a direct endpoint (the test pool keeps prepared
statements on).
Boundary
This repo is Tier 1 only. Canvas-specific MCP tools, FHIR logic, and SDK
knowledge live in the separate canvas-sdk-tools repo — never here.
Blob migration (filesystem → bytea)
python scripts/backfill_artifacts.py /path/to/old/blobstore
Idempotent (dedup by sha256), streams each file, skips/reports anything over the 50 MB cap, and verifies a random sample by checksum readback.
Установка Assist Memory
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/aliomraniH/mcp-assist-memoryFAQ
Assist Memory MCP бесплатный?
Да, Assist Memory MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Assist Memory?
Нет, Assist Memory работает без API-ключей и переменных окружения.
Assist Memory — hosted или self-hosted?
Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.
Как установить Assist Memory в Claude Desktop, Claude Code или Cursor?
Открой Assist Memory на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
wenb1n-dev/SmartDB_MCP
A universal database MCP server supporting simultaneous connections to multiple databases. It provides tools for database operations, health analysis, SQL optim
автор: wenb1n-devPostgres Server
This server enables interaction with PostgreSQL databases through the Model Context Protocol, optimized for the AWS Bedrock AgentCore Runtime. It provides tools
автор: madhurprashPostgres
Query your database in natural language
автор: AnthropicPostgreSQL
Read-only database access with schema inspection.
автор: modelcontextprotocolCompare Assist Memory with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории data
