A real company. A real brain. Running right now.
Aurelian Therapeutics is invented; everything below is not. Its people write, revise and withdraw real documents, and Mnemosyne reads them — deciding who may see each one, anchoring it so it cannot be altered, and refusing any “fact” that is not actually in the text. Nothing here is animated. If a line says a fact changed, a fact changed.
What just happened iEach thing a person does, and — indented beneath it — exactly what Mnemosyne did in response. The indentation is the causal link: her work is threaded under the human action that caused it. The gold code is that event’s own anchor on the tamper-evident chain: even this log cannot be quietly rewritten.
Taught by a human iWhen she is not sure who may see a document, she holds it and a person rules on it. Every ruling is signed with that person’s key and anchored on the chain — so “who approved this, and when” is a signature you can check, not a log line you are asked to trust. And each ruling grades her: it is how she gets better.
This is the part a search engine cannot do. A person corrects her, the correction is signed and anchored, and she carries it forward — so the same mistake costs the company once.
What this does not do (yet)
- No question-answering yet. This is ingestion, tagging, grounding and need-to-know. Live Q&A with the full answer-gate is the next phase.
- She over-tags. Too restricted is the safe direction — never too exposed — but it is real, and a human still reviews what she holds back.
- Revocation is forward-looking. Removing someone’s key stops all future access; it cannot un-read what they already read. We do not pretend otherwise.
Aurelian Therapeutics — the synthetic company
A mid-size pharmaceutical firm with three competing drug programmes, a board that sees things staff must not, and patient data it is legally obliged to protect. It is invented precisely so we can hold a hidden answer key — every fact, and every document’s true access labels. Mnemosyne never sees that key. She works from the documents alone, exactly as she would at a real customer, and we grade her against it.
The threat model iWhat we assume an attacker can do. We assume the AI itself is compromised — jailbroken, prompt-injected, or simply lying. Everything below is designed not to depend on it behaving.
| The threat | What stops it | Why it holds |
|---|---|---|
| The AI is fooled into inventing a fact | Every fact must quote its source, checked outside the model | An unanchored claim never enters the knowledge base |
| The AI is fooled into leaking across projects | Documents are encrypted per label-set; no clearance ⇒ no key | The model does not hold the keys, and cannot talk its way into one |
| An employee leaves and keeps a copy of their laptop | Key revoked as a signed, anchored event | All future access ends. Past reads cannot be undone — and we say so |
| Someone quietly edits a stored record | Tamper-evident chain over every document and event | Recomputing the chain fails; the alteration is visible |
| A document is mis-filed so its caveats are missed | Deterministic floors: content, file path, and doc-type policy | A compromised model can add restriction — never remove it |
The people, and what their keys open
“Can open” is not a UI permission. It is the number of documents the keyring will actually hand this person a decryption key for. Watch it change when someone moves department, and drop to zero when they leave.
| Name | Role | Dept | Can open | Clearances |
|---|---|---|---|---|
| loading… | ||||
Try to break it.
Search the company’s real documents as one of its employees. Pick someone who should not be able to see what you are looking for. You are not hitting a demo of the gate — you are hitting the gate.
Search the archive as…
Try AUR-101 as the CFO — finance clearance, no clinical clearance. Or search anything as someone who has left: their key is revoked, so they hold nothing at all.
Pick a person and search. Results appear here.
An uncleared searcher gets no results and no count. Even “0 of 4 matched” would leak the 4 — telling you a thing exists is already telling you something.
Published limits
- We do not claim the AI cannot be fooled. Prompt injection is unsolved industry-wide, and any vendor claiming immunity to it is one disclosure away from embarrassment. We claim something narrower and stronger: even a fully compromised model cannot invent a fact or leak across compartments — because neither depends on it behaving.
- Grounding is not the same as being right. A correctly-cited source can still be wrong. We prove provenance, not truth.
The chain, in the open
Every block Mnemosyne seals, and every transaction inside it — the tamper-evident spine and its sidechains, verifiable right here. Check the integrity of any chain, open any block, look up any anchor. The structure of everything is public; the content of sealed knowledge and audit records stays encrypted, because this explorer holds no keys. Verify everything; read nothing you should not.