Per-agent isolation
Extracted memories land in the agent's own self
namespace. Two principals working in the same repo get separate
project namespaces by default.
Run one Remnic server on a machine you control and point every agent at it. The standalone server speaks HTTP and MCP, isolates tenants with namespaces and ACLs, and ships an operator console so you can see exactly what is stored and why. No cloud account, no subscription.
@remnic/server is bundled in
@remnic/cli. Bring up the daemon with
remnic daemon start, or run the server directly.
It binds 127.0.0.1:4318 by default and gates every
request on a loopback bearer token.
npx --package @remnic/server remnic-server --port 4318
# Bearer token via --auth-token or REMNIC_AUTH_TOKEN @remnic/server serves the full memory and context tool
surface over HTTP and MCP: recall, store, entity lookup, correction,
X-ray provenance, and the operator API. The bind address defaults to
loopback and the auth token is required, so nothing is exposed until
you decide to expose it. Set REMNIC_AUTH_TOKEN to a
random value and put the server behind a tunnel only when you need
remote agents to reach it.
Turn on namespacesEnabled and each agent gets its own
self namespace plus a curated shared
namespace for cross-agent context. namespacePolicies
lists the read and write principals per namespace, so one install
can host several agents or users without leaking memory between
them.
Extracted memories land in the agent's own self
namespace. Two principals working in the same repo get separate
project namespaces by default.
The shared namespace provides cross-agent context.
Promotion is opt-in and category-gated, so sharing is a decision,
not a default.
namespacePolicies binds each namespace to explicit
read and write principals. Explicit namespace overrides still go
through the policy checks.
Optional scopeProfiles and teams layer
user, team-project, and server-shared namespaces for hosted-team
setups. Team namespaces derive from trusted config, never from
caller-supplied strings.
Set server.adminConsoleEnabled: true (default
false) and the browser console mounts at
/remnic/ui/. It is a memory browser, a recall debugger,
trust-zone and review-queue panes, an entity explorer, and a live
force-directed memory-graph view. Every fetch and every operator
action goes through the same loopback bearer token as the rest of
the operator API, so the console adds no new trust surface.
remnic daemon start hands the process off to launchd or
systemd when a service is installed, so the server survives logout
and reboots. It stays idle until an agent talks to it, so it is not
another thing to babysit.
The published container image includes the QMD search backend, so
there is no separate index install. It exposes port
4318, stores memory under the /data
volume, and reads the bearer token from
REMNIC_AUTH_TOKEN.
docker run --rm \
-p 4318:4318 \
-v remnic-data:/data \
-e REMNIC_AUTH_TOKEN=change-me \
ghcr.io/joshuaswarren/remnic:latest Remnic Relay is recent work built during OpenAI Build Week 2026. It tackles the team version of the correction problem: when two agents hold conflicting beliefs, evidence identifies the stale one, a human approves a single correction, and the replacement crosses into a cold agent that had never seen it, so the same test passes on the next run. One approval, propagated, with a receipt for who approved what and which agent learned it.