Memory Governance Contract
Status: draft
This contract defines how orchestrators such as Anthesis may request memory from the Dubnium memory service without delegating governance authority to the memory service itself.
Boundary
Anthesis / orchestrator
- classifies task risk
- authorizes memory scope
- chooses sensitivity filters
- decides whether retrieved memory enters prompt context
- records execution envelope
Dubnium memory service
- stores memories
- filters by scope, sensitivity, verification, rejection, and TTL
- returns retrieval candidates
- records retrieval events and metadata
The memory service must not assemble final prompts or decide whether a memory is safe to inject into an agent context.
Scope Convention
Memory scopes should use one of these prefixes:
personal:
project:
session:
agent:
workflow:
Examples:
project:dubnium
session:11111111-1111-4111-8111-111111111111
agent:anthesis-reviewer
workflow:memory-phase-2
The current scope helper is advisory. Runtime enforcement may be added after existing callers and examples are fully migrated.
Retrieval Request
A retrieval request may include governance metadata in addition to the Phase 1 filters.
{
"query": "What changed in memory phase 2?",
"scope": "project:dubnium",
"allowed_sensitivity": ["internal"],
"require_verified": true,
"limit": 8,
"purpose": "review",
"requester": {
"actor_type": "agent",
"actor_id": "anthesis-reviewer"
},
"envelope_id": "env-20260528-001"
}
Required Fields
| Field | Meaning |
|---|---|
query | Retrieval query text |
scope | Retrieval boundary, such as project:dubnium |
Optional Fields
| Field | Meaning | Default |
|---|---|---|
allowed_sensitivity | Sensitivity labels allowed in results | ["internal"] |
require_verified | Whether only verified memory may return | false |
limit | Maximum memory candidates | 8 |
purpose | Orchestrator purpose: ask, plan, patch, review, test | omitted |
requester | Actor requesting retrieval | omitted |
envelope_id | Upstream Anthesis execution envelope id | omitted |
Retrieval Event
Every retrieval returns an event.
{
"id": "uuid",
"scope": "project:dubnium",
"query": "What changed in memory phase 2?",
"returned_memory_ids": ["uuid"],
"returned_artifact_ids": [],
"metadata": {
"allowed_sensitivity": ["internal"],
"require_verified": true,
"limit": 8,
"purpose": "review",
"requester": {
"actor_type": "agent",
"actor_id": "anthesis-reviewer"
},
"envelope_id": "env-20260528-001"
}
}
The event is an audit hook. It is not proof that the memory entered a prompt. Anthesis must separately record prompt assembly and provider execution in its own envelope.
Normal Retrieval Rules
Normal retrieval excludes memory when:
- scope does not match the request
- sensitivity is not explicitly allowed
require_verifiedis true and memory is notverified- memory is expired by TTL
- memory has
validation_status = rejected
Rejected memory is excluded even when require_verified = false.
Audit retrieval of rejected memory is future work and should use a separate endpoint or explicit audit mode.
Memory Promotion
Memory should move through explicit states:
working -> episodic -> semantic -> repo doc / ADR / runbook
Promotion rules:
- working memory may be generated inside a session
- episodic memory must summarize a meaningful event or task
- semantic memory must represent a stable fact, decision, convention, or invariant
- repo docs, ADRs, and runbooks remain higher-authority than memory rows
Rejection Reasons
Memory candidates should be rejected or marked rejected when they contain:
- secret-like content that redaction could not confidently sanitize
- cross-scope contamination
- unsupported or hallucinated claims
- stale facts
- prompt-injection residue
- weak or missing provenance
Rejected memory must not appear in normal retrieval paths.
Anthesis Envelope Handoff
Anthesis should record:
- retrieval request
- retrieval event id
- returned memory ids
- returned artifact ids
- prompt assembly decision
- provider decision
- model/provider response
- validation result
The memory service only supplies retrieval candidates and metadata. Governance remains external.