Skip to main content
Glama

memotrust

Verified memory for AI agents. Your agents remember only what's true.

npm license MCP stars

Agents propose memories. Evidence verifies them. recall() returns only what has earned trust, so a hallucinated, stale, or poisoned "fact" never reaches your other agents.


Why memotrust

Give your agents a shared memory and it's a superpower, until one agent hallucinates a fact, copies a stale number, or reads a poisoned note. In every other memory layer, that mistake becomes every agent's "truth", silently, forever. (Memory poisoning is OWASP agentic risk ASI06.)

memotrust flips the default: nothing is trusted on arrival. A memory reaches recall() only after it's verified against a real source or approved by a human. Trust decays. Disputes withhold. Every verdict keeps a receipt.

Related MCP server: agent-knowledge

What's inside

  Trusted recall

recall() returns only verified, fresh, in-scope memory, ranked. No guesses, no stale wins.

  One shared memory

Every agent, Claude Code, Cursor, any MCP client, reads and writes the same store. Git-backed, so what your agents know is versioned, diffable, and portable.

  Poison can't spread

Every new memory is quarantined until proven. One agent's bad note can't become another's fact.

  MCP Verifiers

Read-only checks that turn a claim into trusted knowledge: built in, or connected to a source of truth.

  Read-only connectors

Confirm domain claims against live data. Mixpanel built-in; connect any read-only MCP source.

  Dashboard

A local UI to review, approve, dispute, and manage every memory and every verifier connection.

  Receipts, not vibes

Every verdict records the query, the reading, and the judgment. Audit why anything is trusted.

  Just files

Markdown claims plus an append-only log, git-backed. Human-readable, diffable, no database.

One memory, every agent

memotrust is the shared source of truth for your whole agent fleet. Claude Code, Cursor, and every MCP client read and write the same store, so a fact one agent proves, all of them can trust.

And because it's git-backed, that memory is versioned, diffable, and portable: branch it, review it, roll it back, sync it however you sync code. It's the home for everything your agents know, and every line of it has earned its place.

Quick start

npx memotrust install     # create the store, git-init it, register the MCP with your agent

Point Claude Code, Cursor, or any MCP client at it, and your agents can propose and recall. The dashboard comes up at http://localhost:8765.

The dashboard

Everything your agents know, and exactly how much of it is proven. Review the inbox, approve or dispute at a glance, watch trust coverage, and audit any claim's full evidence chain.

MCP verifiers, read-only

A verifier confirms or refutes a claim against a source of truth. It is always read-only: it can query, never write, update, or delete.

  • Built in, zero credentials. Check a claim against a file, a URL, or a command:

    check: {"kind": "file", "path": "package.json", "contains": "pnpm"}
    check: {"kind": "url",  "url": "https://api.example.com/health", "status": 200}
  • Connect a source of truth. Mixpanel is built-in (a read-scoped service account confirms growth and metric claims). Connect any other read-only MCP data source, or let your agent submit a read-only observation, and memotrust decides the verdict, the agent never can.

  • Human approval. Anything you'd rather confirm yourself, in one click.

command checks are disabled by default: a poisoned claim must never become code execution. Opt in with MEMOTRUST_ALLOW_COMMAND_CHECKS=1.

How it works

There is no LLM inside the store: your agent extracts durable facts and proposes them over MCP; memotrust only ever judges the evidence and records the receipt.

The tools your agent gets

Tool

What it does

recall

Only trusted + fresh + in-scope memory; disproven approaches come back as warnings

propose

File a new memory; it lands quarantined, never trusted on arrival

search

Everything at any trust level, each result labeled with its status

vocabulary

Existing spaces + tags, so agents reuse names instead of inventing synonyms

pending_verifications

Claims that carry a machine-checkable assertion, awaiting a reading

submit_evidence

Submit a read-only observation; memotrust judges, not the agent

memotrust vs. a plain memory layer

plain memory

memotrust

New memory is…

trusted immediately

quarantined until verified

Hallucinated / poisoned note

served to every agent

withheld, never recalled

Stale facts

linger and win

decay after 60 days, re-verify

"We already tried that"

forgotten

returned as a warning

Why is this trusted?

¯\_(ツ)_

an auditable receipt

Contributing

Issues and PRs welcome. npm test runs the store + verifier suite; npm run test:e2e runs the end-to-end MCP acceptance test. House style: docs/code-style.md.

If verified memory is something your agents need, ⭐ star the repo. It helps a lot.

MIT · built for the Model Context Protocol

A
license - permissive license
-
quality - not tested
C
maintenance

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Idanref/memotrust'

If you have feedback or need assistance with the MCP directory API, please join our Discord server