Agents propose memories. Evidence verifies them. recall() returns only what has earned trust, so a hallucinated, stale, or poisoned "fact" never reaches your other agents.
Give your agents a shared memory and it's a superpower, until one agent hallucinates a fact, copies a stale number, or reads a poisoned note. In every other memory layer, that mistake becomes every agent's "truth", silently, forever. (Memory poisoning is OWASP agentic risk ASI06.)
memotrust flips the default: nothing is trusted on arrival. A memory reaches recall() only after it's verified against a real source or approved by a human. Trust decays. Disputes withhold. Every verdict keeps a receipt.
memotrust is the shared source of truth for your whole agent fleet. Claude Code, Cursor, and every MCP client read and write the same store, so a fact one agent proves, all of them can trust.
And because it's git-backed, that memory is versioned, diffable, and portable: branch it, review it, roll it back, sync it however you sync code. It's the home for everything your agents know, and every line of it has earned its place.
npx memotrust install # create the store, git-init it, register the MCP with your agentPoint Claude Code, Cursor, or any MCP client at it, and your agents can propose and recall. The dashboard comes up at http://localhost:8765.
Everything your agents know, and exactly how much of it is proven. Review the inbox, approve or dispute at a glance, watch trust coverage, and audit any claim's full evidence chain.
A verifier confirms or refutes a claim against a source of truth. It is always read-only: it can query, never write, update, or delete.
- Built in, zero credentials. Check a claim against a file, a URL, or a command:
check: {"kind": "file", "path": "package.json", "contains": "pnpm"} check: {"kind": "url", "url": "https://api.example.com/health", "status": 200}
- Connect a source of truth. Mixpanel is built-in (a read-scoped service account confirms growth and metric claims). Connect any other read-only MCP data source, or let your agent submit a read-only observation, and memotrust decides the verdict, the agent never can.
- Human approval. Anything you'd rather confirm yourself, in one click.
commandchecks are disabled by default: a poisoned claim must never become code execution. Opt in withMEMOTRUST_ALLOW_COMMAND_CHECKS=1.
There is no LLM inside the store: your agent extracts durable facts and proposes them over MCP; memotrust only ever judges the evidence and records the receipt.
| Tool | What it does |
|---|---|
recall |
Only trusted + fresh + in-scope memory; disproven approaches come back as warnings |
propose |
File a new memory; it lands quarantined, never trusted on arrival |
search |
Everything at any trust level, each result labeled with its status |
vocabulary |
Existing spaces + tags, so agents reuse names instead of inventing synonyms |
pending_verifications |
Claims that carry a machine-checkable assertion, awaiting a reading |
submit_evidence |
Submit a read-only observation; memotrust judges, not the agent |
| plain memory | memotrust | |
|---|---|---|
| New memory is… | trusted immediately | quarantined until verified |
| Hallucinated / poisoned note | served to every agent | withheld, never recalled |
| Stale facts | linger and win | decay after 60 days, re-verify |
| "We already tried that" | forgotten | returned as a warning |
| Why is this trusted? | ¯\_(ツ)_/¯ | an auditable receipt |
Issues and PRs welcome. npm test runs the store + verifier suite; npm run test:e2e runs the end-to-end MCP acceptance test. House style: docs/code-style.md.
If verified memory is something your agents need, ⭐ star the repo. It helps a lot.
MIT · built for the Model Context Protocol


