Mnemosyne

Deep dive

How it works

The guarantees live in machinery the model does not control: an anchor it cannot forge, a key it cannot obtain, a gate it cannot talk past. Hover any underlined term for a plain-language definition.

Integrity & audit

Every ingest, question, retrieval and answer is written to an append-only spine of signed, hash-chained blocks, with per-compartment sidechains committing in by Merkle root. Alter one block and verification says so. The root can be anchored to an outside ledger so it cannot be quietly rewritten.

a compartment’s own chaincommits in by summary hashblock 1✓ verifiesblock 2✓ verifiesblock 3✓ verifiesblock 4✕ alteredblock 5✕ link brokenblock 6✕ link broken● the root can be published outside — confirmation pending by design✕ HALT — it refuses to serve, rather than serve a lie
Tamper with one block and the whole chain says so. Each block carries the previous one’s fingerprint, so altering block 4 breaks every link after it — you cannot quietly rewrite history, only visibly destroy it. When that happens the system stops serving rather than serve something it cannot vouch for. You can browse the real chain on the live demo — the diagram illustrates the mechanism, it is not a live view of a running system.

Timechain — tamper-evident audit chains

Shipped

Every knowledge unit, question, answer, and policy change is written as an append-only, hash-chained, Ed25519-signed block committed into a single spine. Because it is a single trusted writer on the customer's own box there are no reorgs or forks. verify_chain re-derives every hash and signature, so any silent modification, deletion, or forgery of a sealed block is detectable. Integrity is computed over ciphertext, so an auditor can prove tamper-evidence with zero read access.

Sealer-key rotation with handover chain

Shipped

The sealer is the most load-bearing key. Its pin is resolved by block seal-time from signed sealer_rotation governance events, each carrying a handover certificate in which the outgoing sealer signs the incoming key. The registry verifies an unbroken predecessor-signs-successor chain from genesis and is tip-anchored: the key valid now must equal the key actually held, or verification fails. Rotation no longer invalidates history.

Timechain Explorer

Shipped

A read-only block explorer over the live timechain: recent blocks across every sidechain, per-chain verify verdicts, block and transaction detail, and universal lookup by hash or anchor prefix. It is keyless — anyone can audit the chain's integrity — while any sealed payload is redacted, so browsing proves tamper-evidence without exposing content.

External anchoring (Bitcoin/OpenTimestamps + optional Solana)

In progress

The strongest adversary — one holding both the disk and the sealer key, who could rewrite the whole local chain consistently — is defeated only by publishing the spine root outside the box. Mnemosyne submits each transparency-log root to Bitcoin via OpenTimestamps, whose calendars aggregate every submitter into a single Bitcoin transaction they pay for themselves: no wallet, no key, and no fee, ever. Roughly two hours later the promise is collected and becomes a real Bitcoin block height, which the explorer links straight to a public block explorer. A three-state verdict (confirmed / pending / invalid) drives the integrity gate; a root pending past a window raises a visible freshness warning rather than a false halt. Because the verdict is parsed out of the calendar's own attestation, the product cannot claim Bitcoin without a Bitcoin block behind it.

Security & access

Access is a lattice, not a list: a reader must out-rank the level, hold every compartment, and clear every caveat — evaluated at key-wrap time, so need-to-know is cryptographic, not a display filter. Data at rest is sealed with envelope encryption.

P&L report ● anchoredlevel: confidentialcompartments: financecaveats: piilevel ≥compartments ⊆caveats ⊆at key-wrapCFOholds finance + piikey wrapped → plaintextCEOout-ranks everyoneno key → no plaintext
Seniority does not grant need-to-know. Levels inherit; compartments and caveats never do — so the CEO out-ranks the document and is still refused. Because the test runs when the key is wrapped, the boundary is cryptographic, not a display filter: no domination, no key, no plaintext. You can watch this exact behaviour on the live demo — the diagram illustrates the mechanism, it is not a live view of a running system.

ACL Lattice (DOMINATES predicate)

Shipped

Domination is: level(reader) >= level(doc) AND compartments(doc) within the reader's declared closure AND caveats(doc) within the reader's caveats. Levels inherit by seniority; compartments and caveats never do — the CEO deliberately holds neither mnpi nor pii. The predicate is evaluated at key-wrap time, so the boundary is cryptographic rather than a display filter: no domination means no wrapped key means no plaintext. The org model is a signed, anchored contract read back off the governance chain.

Load-boundary governance authority

Shipped

The authority to install a governance contract lives at the load/replay boundary every reader traverses, not merely at the write API. A contract is adopted only if its author held the required capability as of that transaction's timestamp; an org-contract requires the greater capability and the store independently classifies the widen/narrow delta and enforces the on-chain co-signature quorum and no-self-grant — never trusting the contract's self-declared fields. Any structural clearance enlargement is widen-by-construction.

Key-transparency log (identity & key management)

Shipped

Every actor has a libsodium keypair. Enrollment, clearance grants, capability grants, revocations, and the compartment scheme itself are signed contracts anchored on the governance chain, which doubles as a certificate-transparency-style key log. A revocation is per-identity terminal unless a strictly newer chained grant supersedes it. This is what lets access authority be audited rather than asserted.

Master key off disk

Shipped

Private seeds are wrapped at rest under a key-encryption-key derived from an operator secret that is never written down (passphrase / env / OS-keyring / KMS), held in memory only. A sealed keystore refuses to open without the right secret and cannot be silently downgraded to dev mode; a legacy plaintext seed is migrated and shredded on first open. This was a real defect found by a canary sweep (plaintext seeds sat beside the ciphertext they protected) and is the fix.

Envelope encryption & no-plaintext-at-rest

In progress

Each record and its source file are encrypted under a key scoped to their full label set, and that key is wrapped only for people who clear every one of those labels — so no clearance means no key, which means no plaintext. Integrity is verified over the ciphertext, so an auditor can prove nothing was tampered with while reading none of it. Two derived stores are not yet sealed to the same standard: the knowledge graph's fact labels, and the vector index behind semantic search (embeddings can be turned back into text, so they are not "just numbers"). Both are closed before any real customer data is ingested; neither affects the demo, which contains only synthetic data.

Breach-contained and fabrication-blocked under model compromise

In progress

The headline is deliberately scoped to the model-compromise adversary: the security guarantee lives in the anchor and the key-wrap, not in the model's obedience. A fooled model cannot fabricate (no anchor, blocked) and cannot pull an uncleared source into its context (the index is ciphertext to it). This is the approved phrasing, chosen precisely because immunity claims are indefensible.

Opaque content-free identifiers

Planned

Today an identifier is derived from the label it names, so the identifier can spell out the fact even where the ciphertext does not. The fix makes every identifier an opaque, content-free hash, with the human-readable name moved into a sealed alias map only a cleared reader can open. It is the root-cause fix that lets the graph's labels be sealed, and it stops the next derived store from leaking the same way. The subtlety being resolved: an identifier must stay stable for the same underlying fact, while revealing nothing about it.

Semantic-leakage / aggregation gate

Research

Grounding and clearance stop direct leaks, but a chain of individually-cleared facts can imply a restricted one. The design adds a non-leakage check over the composed reasoning frame plus a human-ratification loop that hardens the deterministic layer over time. This is named as the highest-risk unknown in the whole security thesis and is explicitly de-risked out of the MVP.

Cognition — grounding & the gate

Answers pass an out-of-model gate: every claim must dereference to an anchored, cleared source or it is blocked as a fabrication. Retrieval compounds because sources are curated once into a graph rather than re-fetched every query.

The modelproposes a claim— untrusted by designAnchored?does it resolve to a real sourceCleared?may THIS reader see that sourceEntailed?does the source actually say it(this leg is still being strengthened)✓ Cited answerwith its sources attachedall three run outside the model
No anchor, no answer. The model proposes; it does not decide. Because the checks run outside it, talking the model into something does not move them — a claim it cannot ground, or that you are not cleared for, simply never leaves. Grounding and clearance are live today; the third check is the one we are still strengthening, and we would rather show you that than draw three green ticks. This illustrates the mechanism — it is not a live view of a running system.
Retrieval (RAG) — re-derived every timeraw chunks, unlinkedquery 1 → re-fetch → answer → gonequery 2 → re-fetch → answer → gonequery 3 → re-fetch → answer → gonenothing accumulates — query 100 costs what query 1 costMnemosyne — curated once, then it compounds● ● ● three sources corroborate the same fact — confidence rises honestlyevery query traverses what is already verified — cheap, and citableyou pay once to curate; you recall for as long as the company exists
Pay once to curate. Recall cheaply and provably. Retrieval tools re-derive an answer from raw chunks on every query, so nothing gets better with use and nothing is checkable afterwards. We curate your sources once into a linked graph, so a fact stated in three documents accrues three independent observations — which is what lets confidence rise for real rather than by assertion. This illustrates the mechanism — it is not a live view of a running system.

Compounding knowledge (curate-once vs RAG)

Shipped

Ingestion produces atoms namespaced by their source document; curation canonicalizes the same fact across documents, so a claim stated in three sources accrues three independent observations and its confidence can honestly rise. That cross-document corroboration is the mechanism behind "compounding" — and it is measured: a confirmed concept pulls monotonically ahead of the field while an unconfirmed decoy falls behind. Standard retrieval has no such mechanism; it re-fetches raw chunks and lets the model author an answer every time.

ACT-R retrieval ranking

Shipped

Candidates are ranked by ACT-R-style spreading activation over the typed-link graph: a source gains relevance from what it connects to, attenuating with distance, so the same query surfaces different evidence as the graph learns. The popularity prior is deliberately dropped — relevance comes from topology, not from what is merely frequent — which is what stops a rich-get-richer ranking artefact.

Out-of-model grounding + clearance + entailment gate

In progress

The gate runs on immutable anchored provenance, outside the model's control. A claim with no anchor is treated as a fabrication and blocked; a source the requester cannot clear is never retrievable because its index partition is ciphertext to them. A deterministic grep pre-filter catches literal fabrication cheaply before the entailment check. The model is never trusted to police itself.

Learning

The system improves with use through oracle-verified reinforcement — behind a hard firewall: learning can tune ranking, never the security gate.

Self-learning agent (firewalled tiered learning)

In progress

Learning is tiered: a fresh or high-stakes instance runs on deterministic rules; oracle-verified episodes then reinforce what is genuinely useful, where "useful" means an oracle confirmed the retrieved set actually carried the query's literals — a mere retrieval reinforces nothing, which is what stops a rich-get-richer feedback artefact. A hard firewall means the offline learning policy can decide whether to research more but can never decide to release an uncleared fact.

Ingestion

How standard files become sealed, clearance-tagged knowledge.

Ingestion (standard files + layout; OCR)

In progress

Ingestion parses standard files and assigns access labels from a deterministic, signed floor before the model is consulted, so a compromised model can only add restriction, never remove it. Department/project ownership comes from provenance (where a document was filed), while caveats come from content (a document that mentions patient data is pii-bearing whoever filed it). Labels are final before sealing, because a mis-tag is a mis-encryption and permanent for an under-tag.

Deployment

Run it yourself (on-prem, air-gap-capable) or let us operate it with zero-access confidential computing.

On-prem / air-gap sovereignty

In progress

Mnemosyne is designed as a single trusted writer on the customer's own hardware, with no required external network dependency; the local notary is the synchronous witness and outside anchoring is an optional switch. In an air-gapped deployment there is nowhere for exfiltrated data to be sent. The trade-off is stated honestly: air-gapped means no frontier cloud model.

Managed cloud — single-tenant, we operate it

Planned

For teams that want the sovereignty without the ops burden, we operate a dedicated per-customer instance: one confidential VM, one keystore, one set of audit chains — never a multi-tenant substrate. You can always export your encrypted substrate and keys and self-host instead, with the audit chain verifying intact across the move: the door unlocks from the inside.

Zero-access managed (confidential computing)

Planned

In managed, the operator (us) is treated as an adversary the tier must contain. Each instance runs inside a confidential VM whose memory the host cannot read; your key is released only after remote attestation proves exactly what code will hold it. Breach-contained even against Mnemosyne itself — trust moves to a hardware measurement, not to our promise.