Memory security

Memory has to be useful without being easy to drain.

A local memory system still needs a serious read-surface threat model. This track studies adaptive extraction attacks and the controls that keep recall powerful without making bulk exfiltration trivial.

See all memory features How memory works Issue #565

This is one research track, not the whole Remnic memory system. Remnic also includes extraction, recall injection, hybrid search, entity tracking, lifecycle hygiene, trust zones, procedural memory, local LLM routing, versioning, retention tiers, disclosure controls, project scoping, importers, benchmarks, recall X-ray, and more. These pages explain focused memory tracks inside that broader system.

What changes

The product idea in plain terms.

Define attacker tiers

Separate unauthenticated attackers, compromised same-namespace connectors, cross-namespace attempts, and co-resident processes.

Measure extraction

An attack harness can show how much memory an adaptive query loop can recover before mitigations.

Budget disclosure

Read-query budgets, anomaly detection, and response caps reduce bulk extraction without breaking normal recall.

Already in Remnic

Bearer-token checks and namespace ACLs.
Trust zones for provenance and poisoning resistance.
Recall audit trails and access surfaces that support anomaly detection.

Landed in this track

PR #572 published the threat model; PR #619 added the ADAM harness and PR #633 published baseline ASR numbers.
PR #638 and PR #649 added cross-namespace query budgets.
PR #639, PR #650, PR #651, PR #652, PR #653, and PR #654 completed mitigation wiring, status checks, benchmarks, and docs.

References

Related Remnic pages