Provenance-first agent memory
A memory without provenance is not memory; it is a rumor with good embeddings. Semantic similarity can find a claim, but it cannot tell the runtime whether that claim was user-stated, inferred, externally sourced, stale, sensitive, or permitted for the action being considered.
My personal agent infrastructure represents those concerns as policy, not prompt prose. Newly extracted candidates default to weak trust, internal sensitivity, retrieval-only use, and explicit prohibitions on autonomous side effects. A current-session confirmation can strengthen a decision without silently rewriting the durable source.
Retrieval and permission are separate gates. A highly relevant memory may still be prohibited for sending a message, running code, publishing content, or controlling a device. That separation keeps personalization useful without turning remembered context into ambient authority.
The current proof surface is executable: a policy evaluator, conservative lifecycle defaults, adapters, and tests covering weak-trust side effects and explicit prohibitions. The next public artifact should add a small interactive policy matrix rather than another diagram that cannot be exercised.