Context
agent-kernel models capabilities, policy decisions, frames, handles, and audit traces for tool-using agents. As agents gain persistent memory, memory read/write operations become security-relevant actions that should be represented and governed like other capabilities.
Problem
Reading memory can expose sensitive past context. Writing memory can create durable false assumptions, leak secrets into future sessions, or pollute project-level context. Without explicit memory capabilities, policy and audit layers cannot distinguish safe ephemeral context use from durable memory access.
Scope
- Model memory read and memory write as capability/action types or equivalent policy inputs.
- Allow policy checks to distinguish read vs write, memory scope, sensitivity, and durability.
- Add audit trace entries for memory access decisions.
- Add examples/tests for allowed project memory read, denied sensitive memory read, allowed safe memory write, and ask/deny for durable memory write if supported.
- Keep the implementation generic and storage-agnostic.
Out of scope
- Do not implement a memory database or vector store.
- Do not integrate with a specific memory product.
- Do not add background memory capture.
- Do not remove existing generic capability behavior.
Suggested implementation
Inspect capability request/decision models, policy engine, action trace, and the new intent/scope issue #72. Consider using existing capability names such as memory.read and memory.write or adding a small helper model for memory actions. Preserve backward compatibility.
Acceptance criteria
Tests
Add unit tests for policy evaluation of memory read/write actions and audit trace output. Include a redaction test for sensitive memory payloads.
Documentation
Add a short example policy section for memory actions, including project-scoped memory and sensitive/personal memory.
Dependencies
Pairs naturally with #72, #73, and #74. Should align with weaver-spec MemoryArtifact/SessionHandoff contract issue #56.
AI agent notes
Start from existing capability and policy models. Keep this storage-neutral. Avoid logging raw memory text in traces. Treat memory writes as potentially higher risk than memory reads because they persist into future sessions.
Context
agent-kernelmodels capabilities, policy decisions, frames, handles, and audit traces for tool-using agents. As agents gain persistent memory, memory read/write operations become security-relevant actions that should be represented and governed like other capabilities.Problem
Reading memory can expose sensitive past context. Writing memory can create durable false assumptions, leak secrets into future sessions, or pollute project-level context. Without explicit memory capabilities, policy and audit layers cannot distinguish safe ephemeral context use from durable memory access.
Scope
Out of scope
Suggested implementation
Inspect capability request/decision models, policy engine, action trace, and the new intent/scope issue #72. Consider using existing capability names such as
memory.readandmemory.writeor adding a small helper model for memory actions. Preserve backward compatibility.Acceptance criteria
Tests
Add unit tests for policy evaluation of memory read/write actions and audit trace output. Include a redaction test for sensitive memory payloads.
Documentation
Add a short example policy section for memory actions, including project-scoped memory and sensitive/personal memory.
Dependencies
Pairs naturally with #72, #73, and #74. Should align with
weaver-specMemoryArtifact/SessionHandoff contract issue #56.AI agent notes
Start from existing capability and policy models. Keep this storage-neutral. Avoid logging raw memory text in traces. Treat memory writes as potentially higher risk than memory reads because they persist into future sessions.