audrey 1.0.2 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (183) hide show
  1. package/CHANGELOG.md +57 -0
  2. package/README.md +303 -429
  3. package/SECURITY.md +3 -3
  4. package/benchmarks/output/adapter-self-test/guardbench-adapter-self-test.json +3 -3
  5. package/benchmarks/output/external/guardbench-external-dry-run.json +1 -1
  6. package/benchmarks/output/external/guardbench-external-evidence.json +1 -1
  7. package/benchmarks/output/guardbench-conformance-card.json +11 -11
  8. package/benchmarks/output/guardbench-raw.json +105 -104
  9. package/benchmarks/output/guardbench-summary.json +169 -167
  10. package/benchmarks/output/leaderboard/guardbench-leaderboard.json +5 -5
  11. package/benchmarks/output/leaderboard/guardbench-leaderboard.md +2 -2
  12. package/benchmarks/output/submission-bundle/guardbench-conformance-card.json +11 -11
  13. package/benchmarks/output/submission-bundle/guardbench-raw.json +105 -104
  14. package/benchmarks/output/submission-bundle/guardbench-summary.json +169 -167
  15. package/benchmarks/output/submission-bundle/submission-manifest.json +11 -11
  16. package/benchmarks/output/submission-bundle/validation-report.json +1 -1
  17. package/benchmarks/output/summary.json +58 -58
  18. package/benchmarks/public-paths.mjs +14 -1
  19. package/dist/mcp-server/config.d.ts +4 -1
  20. package/dist/mcp-server/config.d.ts.map +1 -1
  21. package/dist/mcp-server/config.js +47 -7
  22. package/dist/mcp-server/config.js.map +1 -1
  23. package/dist/mcp-server/hooks.d.ts +41 -0
  24. package/dist/mcp-server/hooks.d.ts.map +1 -0
  25. package/dist/mcp-server/hooks.js +313 -0
  26. package/dist/mcp-server/hooks.js.map +1 -0
  27. package/dist/mcp-server/index.d.ts +8 -354
  28. package/dist/mcp-server/index.d.ts.map +1 -1
  29. package/dist/mcp-server/index.js +593 -565
  30. package/dist/mcp-server/index.js.map +1 -1
  31. package/dist/mcp-server/tool-schemas.d.ts +341 -0
  32. package/dist/mcp-server/tool-schemas.d.ts.map +1 -0
  33. package/dist/mcp-server/tool-schemas.js +248 -0
  34. package/dist/mcp-server/tool-schemas.js.map +1 -0
  35. package/dist/mcp-server/tool-validation.d.ts +17 -0
  36. package/dist/mcp-server/tool-validation.d.ts.map +1 -0
  37. package/dist/mcp-server/tool-validation.js +41 -0
  38. package/dist/mcp-server/tool-validation.js.map +1 -0
  39. package/dist/src/action-key.d.ts +1 -0
  40. package/dist/src/action-key.d.ts.map +1 -1
  41. package/dist/src/action-key.js +11 -13
  42. package/dist/src/action-key.js.map +1 -1
  43. package/dist/src/affect.d.ts +1 -0
  44. package/dist/src/affect.d.ts.map +1 -1
  45. package/dist/src/affect.js +9 -4
  46. package/dist/src/affect.js.map +1 -1
  47. package/dist/src/audrey.d.ts +11 -3
  48. package/dist/src/audrey.d.ts.map +1 -1
  49. package/dist/src/audrey.js +59 -25
  50. package/dist/src/audrey.js.map +1 -1
  51. package/dist/src/autopilot.d.ts +32 -0
  52. package/dist/src/autopilot.d.ts.map +1 -0
  53. package/dist/src/autopilot.js +997 -0
  54. package/dist/src/autopilot.js.map +1 -0
  55. package/dist/src/capsule.d.ts +2 -0
  56. package/dist/src/capsule.d.ts.map +1 -1
  57. package/dist/src/capsule.js +27 -12
  58. package/dist/src/capsule.js.map +1 -1
  59. package/dist/src/consolidate.d.ts +1 -1
  60. package/dist/src/consolidate.d.ts.map +1 -1
  61. package/dist/src/consolidate.js +14 -8
  62. package/dist/src/consolidate.js.map +1 -1
  63. package/dist/src/controller.d.ts +2 -0
  64. package/dist/src/controller.d.ts.map +1 -1
  65. package/dist/src/controller.js +18 -11
  66. package/dist/src/controller.js.map +1 -1
  67. package/dist/src/db.d.ts.map +1 -1
  68. package/dist/src/db.js +121 -33
  69. package/dist/src/db.js.map +1 -1
  70. package/dist/src/decay.d.ts +2 -1
  71. package/dist/src/decay.d.ts.map +1 -1
  72. package/dist/src/decay.js +14 -10
  73. package/dist/src/decay.js.map +1 -1
  74. package/dist/src/embedding.d.ts.map +1 -1
  75. package/dist/src/embedding.js.map +1 -1
  76. package/dist/src/encode.d.ts.map +1 -1
  77. package/dist/src/encode.js +4 -2
  78. package/dist/src/encode.js.map +1 -1
  79. package/dist/src/events.d.ts +2 -0
  80. package/dist/src/events.d.ts.map +1 -1
  81. package/dist/src/events.js +15 -1
  82. package/dist/src/events.js.map +1 -1
  83. package/dist/src/feedback.d.ts +1 -0
  84. package/dist/src/feedback.d.ts.map +1 -1
  85. package/dist/src/feedback.js +13 -9
  86. package/dist/src/feedback.js.map +1 -1
  87. package/dist/src/forget.d.ts.map +1 -1
  88. package/dist/src/forget.js.map +1 -1
  89. package/dist/src/impact.d.ts +1 -1
  90. package/dist/src/impact.d.ts.map +1 -1
  91. package/dist/src/impact.js +40 -30
  92. package/dist/src/impact.js.map +1 -1
  93. package/dist/src/import.d.ts.map +1 -1
  94. package/dist/src/import.js +13 -9
  95. package/dist/src/import.js.map +1 -1
  96. package/dist/src/index.d.ts +2 -0
  97. package/dist/src/index.d.ts.map +1 -1
  98. package/dist/src/index.js +1 -0
  99. package/dist/src/index.js.map +1 -1
  100. package/dist/src/interference.d.ts +2 -1
  101. package/dist/src/interference.d.ts.map +1 -1
  102. package/dist/src/interference.js +44 -17
  103. package/dist/src/interference.js.map +1 -1
  104. package/dist/src/llm.d.ts.map +1 -1
  105. package/dist/src/llm.js +12 -1
  106. package/dist/src/llm.js.map +1 -1
  107. package/dist/src/migrate.d.ts.map +1 -1
  108. package/dist/src/migrate.js +9 -9
  109. package/dist/src/migrate.js.map +1 -1
  110. package/dist/src/preflight.d.ts +2 -0
  111. package/dist/src/preflight.d.ts.map +1 -1
  112. package/dist/src/preflight.js +29 -12
  113. package/dist/src/preflight.js.map +1 -1
  114. package/dist/src/promote.d.ts +1 -0
  115. package/dist/src/promote.d.ts.map +1 -1
  116. package/dist/src/promote.js +12 -8
  117. package/dist/src/promote.js.map +1 -1
  118. package/dist/src/recall.d.ts.map +1 -1
  119. package/dist/src/recall.js +152 -100
  120. package/dist/src/recall.js.map +1 -1
  121. package/dist/src/reflexes.d.ts.map +1 -1
  122. package/dist/src/reflexes.js.map +1 -1
  123. package/dist/src/rollback.d.ts.map +1 -1
  124. package/dist/src/rollback.js.map +1 -1
  125. package/dist/src/routes.d.ts +1 -0
  126. package/dist/src/routes.d.ts.map +1 -1
  127. package/dist/src/routes.js +73 -20
  128. package/dist/src/routes.js.map +1 -1
  129. package/dist/src/server.d.ts +1 -0
  130. package/dist/src/server.d.ts.map +1 -1
  131. package/dist/src/server.js +2 -2
  132. package/dist/src/server.js.map +1 -1
  133. package/dist/src/types.d.ts +1 -0
  134. package/dist/src/types.d.ts.map +1 -1
  135. package/dist/src/utils.d.ts +2 -0
  136. package/dist/src/utils.d.ts.map +1 -1
  137. package/dist/src/utils.js +18 -0
  138. package/dist/src/utils.js.map +1 -1
  139. package/dist/src/validate.d.ts +1 -0
  140. package/dist/src/validate.d.ts.map +1 -1
  141. package/dist/src/validate.js +19 -10
  142. package/dist/src/validate.js.map +1 -1
  143. package/docs/AUDREY_PAPER_OUTLINE.md +6 -3
  144. package/docs/PRODUCTION_BACKLOG.md +47 -30
  145. package/docs/paper/06-implementation.md +5 -3
  146. package/docs/paper/07-evaluation.md +5 -5
  147. package/docs/paper/08-discussion-limitations.md +1 -1
  148. package/docs/paper/audrey-paper-v1.md +11 -9
  149. package/docs/paper/evidence-ledger.md +8 -8
  150. package/docs/paper/output/arxiv/arxiv-manifest.json +4 -4
  151. package/docs/paper/output/arxiv/main.tex +11 -9
  152. package/docs/paper/output/arxiv-compile-report.json +3 -3
  153. package/docs/paper/output/submission-bundle/README.md +303 -429
  154. package/docs/paper/output/submission-bundle/benchmarks/output/adapter-self-test/guardbench-adapter-self-test.json +3 -3
  155. package/docs/paper/output/submission-bundle/benchmarks/output/external/guardbench-external-dry-run.json +1 -1
  156. package/docs/paper/output/submission-bundle/benchmarks/output/external/guardbench-external-evidence.json +1 -1
  157. package/docs/paper/output/submission-bundle/benchmarks/output/guardbench-conformance-card.json +11 -11
  158. package/docs/paper/output/submission-bundle/benchmarks/output/guardbench-raw.json +105 -104
  159. package/docs/paper/output/submission-bundle/benchmarks/output/guardbench-summary.json +169 -167
  160. package/docs/paper/output/submission-bundle/benchmarks/output/leaderboard/guardbench-leaderboard.json +5 -5
  161. package/docs/paper/output/submission-bundle/benchmarks/output/leaderboard/guardbench-leaderboard.md +2 -2
  162. package/docs/paper/output/submission-bundle/benchmarks/output/submission-bundle/submission-manifest.json +11 -11
  163. package/docs/paper/output/submission-bundle/benchmarks/output/submission-bundle/validation-report.json +1 -1
  164. package/docs/paper/output/submission-bundle/benchmarks/output/summary.json +45 -45
  165. package/docs/paper/output/submission-bundle/docs/AUDREY_PAPER_OUTLINE.md +6 -3
  166. package/docs/paper/output/submission-bundle/docs/paper/06-implementation.md +5 -3
  167. package/docs/paper/output/submission-bundle/docs/paper/07-evaluation.md +5 -5
  168. package/docs/paper/output/submission-bundle/docs/paper/08-discussion-limitations.md +1 -1
  169. package/docs/paper/output/submission-bundle/docs/paper/audrey-paper-v1.md +11 -9
  170. package/docs/paper/output/submission-bundle/docs/paper/evidence-ledger.md +8 -8
  171. package/docs/paper/output/submission-bundle/docs/paper/output/arxiv/arxiv-manifest.json +4 -4
  172. package/docs/paper/output/submission-bundle/docs/paper/output/arxiv/main.tex +11 -9
  173. package/docs/paper/output/submission-bundle/docs/paper/output/arxiv-compile-report.json +3 -3
  174. package/docs/paper/output/submission-bundle/package.json +5 -2
  175. package/docs/paper/output/submission-bundle/paper-submission-manifest.json +41 -41
  176. package/package.json +5 -2
  177. package/scripts/audit-release-completion.mjs +8 -8
  178. package/scripts/finalize-release.mjs +1 -1
  179. package/scripts/prepare-release-cut.mjs +1 -1
  180. package/scripts/publish-release-bundle.mjs +8 -4
  181. package/scripts/publish-release-github-api.mjs +1 -1
  182. package/scripts/sync-paper-artifacts.mjs +4 -5
  183. package/scripts/verify-release-readiness.mjs +1 -1
package/README.md CHANGED
@@ -1,11 +1,11 @@
1
1
  <div align="center">
2
- <img src="docs/assets/audrey-wordmark.png" alt="Audrey wordmark" width="760">
2
+ <img src="docs/assets/audrey-wordmark.png" alt="Audrey" width="720">
3
3
 
4
- <p><strong>The local-first memory firewall for AI agents.</strong></p>
4
+ <p><strong>Memory that shows up before your coding agent makes the same mistake twice.</strong></p>
5
5
 
6
6
  <p>
7
- Give Codex, Claude Code, Claude Desktop, Cursor, Windsurf, VS Code, JetBrains, Ollama-backed agents,
8
- and custom agent services one durable memory layer they can check before they touch tools.
7
+ Audrey gives Codex and Claude Code one local, evidence-backed memory loop:
8
+ remember what mattered, recall it automatically, check before acting, and learn from what happened next.
9
9
  </p>
10
10
 
11
11
  <p>
@@ -15,543 +15,417 @@
15
15
  </p>
16
16
  </div>
17
17
 
18
- ## Why Audrey Exists
18
+ ## Your agent should remember the work, not just the chat
19
19
 
20
- Agents forget the exact mistakes they made yesterday. They repeat broken commands, lose project-specific rules, miss contradictions, and treat every new session like a cold start.
20
+ You fix the deploy command on Monday. On Thursday, a fresh session tries the broken version again.
21
21
 
22
- Audrey Guard is the headline loop: record what happened, remember what mattered, check before action, return `allow`, `warn`, or `block` with evidence, then validate whether the memory helped.
22
+ You explain that this repository never commits generated files. The next agent helpfully commits them.
23
23
 
24
- Audrey turns those hard-won lessons into a local memory runtime:
24
+ You discover a subtle migration rule, write it down somewhere, and still have to remember to paste it into every new conversation.
25
25
 
26
- - `audrey guard --tool Bash "npm run deploy"` runs memory-before-action from the terminal.
27
- - `memory_recall` finds durable context by semantic similarity.
28
- - `memory_preflight` checks prior failures, risks, rules, and relevant procedures before an action.
29
- - `memory_reflexes` converts remembered evidence into trigger-response guidance agents can follow.
30
- - `memory_validate` closes the loop after the action: `helpful`, `used`, or `wrong` outcomes feed salience and can bind back to the exact preflight event, evidence ids, and Guard action fingerprint.
31
- - `memory_dream` consolidates episodes into principles and applies decay.
32
- - `audrey impact` and `audrey doctor` tell a human or CI system whether the runtime is doing real work and is actually ready.
26
+ That is the gap Audrey closes.
33
27
 
34
- It is not a hosted vector database, a notes app, or a Claude-only plugin. Audrey is a SQLite-backed continuity layer that can sit under any local or sidecar agent loop.
28
+ Audrey sits beside the agent and participates in the work automatically. At the start of a session it brings back a small, relevant memory packet. When you submit a prompt, it recalls project facts, preferences, procedures, and recent risks. Before a side-effectful tool runs, Audrey checks the proposed action against prior evidence. Afterward, it links the outcome back to the exact check that preceded it.
35
29
 
36
- <div align="center">
37
- <img src="docs/assets/audrey-feature-grid.jpg" alt="Audrey feature marks: memory continuity, archive signal, recall loop, layered evidence, local node, and remembering before acting" width="760">
38
- </div>
30
+ The model does not have to remember that a memory tool exists. That is the point.
39
31
 
40
- ## Quick Start
32
+ ## Meet Audrey Autopilot
41
33
 
42
- Requires Node.js 20+.
34
+ Install Audrey once, review the hooks once, and then use Codex or Claude Code normally.
43
35
 
44
36
  ```bash
45
- npx audrey doctor
46
- npx audrey demo --scenario repeated-failure
47
- npx audrey guard --tool Bash "npm run deploy"
37
+ npm install -g audrey
38
+ audrey install --host auto
48
39
  ```
49
40
 
50
- `doctor` verifies Node, the MCP entrypoint, provider selection, memory-store health, and host config generation. The repeated-failure demo is no-key, no-host, and no-network: it creates a temporary store, records a failed deploy, teaches Audrey the fix, then shows Audrey Guard blocking the repeat attempt with evidence.
41
+ `auto` configures whichever supported CLIs are installed. You can choose one explicitly:
42
+
43
+ ```bash
44
+ audrey install --host codex
45
+ audrey install --host claude-code
46
+ ```
47
+
48
+ Restart the host after installation. Codex asks you to trust non-managed hooks once through `/hooks`; Claude Code may also ask you to approve project or plugin components. Audrey is automatic after that explicit install-and-trust step—never secretly installed.
49
+
50
+ Autopilot then closes the loop:
51
+
52
+ | Moment | What Audrey does |
53
+ |---|---|
54
+ | Session starts | Injects a compact, agent-scoped memory briefing |
55
+ | You send a prompt | Recalls relevant evidence; explicitly durable phrases such as “remember that…” or “I prefer…” can become memories |
56
+ | Bash/edit/write is proposed | Checks exact prior failures, trusted rules, procedures, contradictions, and memory health |
57
+ | The tool finishes | Correlates `tool_use_id` to the Guard receipt and records the redacted outcome |
58
+ | A tool failure is reported | Forms a durable, sanitized failure memory for the next attempt |
59
+ | The turn stops or context compacts | Runs lightweight, due-only consolidation without holding the conversation open |
60
+
61
+ Infrastructure failures are fail-open by default: a broken memory service must not strand a developer. Teams that need enforcement can set `AUDREY_HOOK_FAIL_CLOSED=1`.
62
+
63
+ ## A small story about a failed deploy
51
64
 
52
- Expected first-run shape:
65
+ The first attempt fails:
53
66
 
54
67
  ```text
55
- Audrey Doctor v1.0.2
56
- Store health: not initialized
57
- Verdict: ready
68
+ $ npm run deploy
69
+ Error: deployment target is missing
58
70
  ```
59
71
 
60
- After the first real memory write, `doctor` should report the store as healthy.
72
+ Audrey keeps a redacted trace and the exact action fingerprint. If another session proposes the same action before the problem is fixed, Guard returns a denial with evidence. Change the command or fix the target and Audrey lets the work continue. Once that exact action succeeds, the old failure no longer blocks it.
61
73
 
62
- ## Install Into Agent Hosts
74
+ This is more useful than “the vector search found a vaguely similar error.” Audrey creates a receipt before the action, records what happened after it, and preserves the lineage between the two.
63
75
 
64
- Preview host setup without editing config files:
76
+ Try the complete loop without an API key or network call:
65
77
 
66
78
  ```bash
67
- npx audrey install --host codex --dry-run
68
- npx audrey install --host claude-code --dry-run
69
- npx audrey install --host generic --dry-run
79
+ npx audrey demo --scenario repeated-failure
70
80
  ```
71
81
 
72
- Generate raw config blocks:
82
+ ## What Audrey remembers
73
83
 
74
- ```bash
75
- npx audrey mcp-config codex
76
- npx audrey mcp-config generic
77
- npx audrey mcp-config vscode
78
- npx audrey hook-config claude-code
79
- ```
84
+ Audrey treats memory as more than a pile of text chunks.
80
85
 
81
- Claude Code can be registered directly:
86
+ - Episodes are things that happened: a user decision, a tool result, a project fact, a preference.
87
+ - Semantic memories are principles supported by accumulated evidence.
88
+ - Procedural memories are ways of acting: how to retry, verify, avoid, or recover.
89
+ - Contradictions stay visible instead of being silently overwritten.
90
+ - Confidence changes with source quality, evidence, age, retrieval, interference, context, and feedback.
91
+ - Low-value memories decay; repeated evidence can consolidate into longer-lived knowledge.
82
92
 
83
- ```bash
84
- npx audrey install
85
- claude mcp list
86
- ```
93
+ Every context packet includes memory IDs, confidence, provenance where available, and a reason for inclusion. Uncertain or disputed memories are labeled as such. Retrieved content is wrapped with a simple rule: memory is evidence, not authority; current system and user instructions always win.
87
94
 
88
- For memory-before-action hooks, preview with `npx audrey hook-config
89
- claude-code`, then apply with `npx audrey hook-config claude-code --apply
90
- --scope project` for `.claude/settings.local.json` or `--scope user` for
91
- `~/.claude/settings.json`. Audrey merges the hook block into existing settings
92
- and writes a timestamped backup before changing a non-empty file. The generated
93
- `PreToolUse` hook runs `audrey guard --hook --fail-on-warn`; the `PostToolUse`
94
- and `PostToolUseFailure` hooks record redacted tool traces. Verify the active
95
- hook set inside Claude Code with `/hooks`.
95
+ ## What Audrey deliberately does not do
96
96
 
97
- All local MCP paths default to local embeddings and one shared SQLite-backed memory directory. **Set a distinct `AUDREY_DATA_DIR` per tenant, agent identity, or concurrent host.** SQLite uses WAL mode without an advisory lock, so two processes sharing a directory will contend on writes. Isolation is a hard requirement for multi-agent setups, not a recommendation.
97
+ Audrey does not upload your memory to a hosted service by default. It does not treat every sentence as permanent truth. It does not promote instructions from arbitrary tool output into trusted policy. It does not claim that a small local benchmark proves state-of-the-art memory quality.
98
98
 
99
- Installer-generated host config does not include provider API keys by default. Prefer setting `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, `GOOGLE_API_KEY`, or `GEMINI_API_KEY` in the host runtime environment; use `npx audrey install --include-secrets` only if you explicitly accept argv/config exposure.
99
+ Raw prompt events and tool bodies are not retained by default. Audrey stores hashes, bounded summaries, fingerprints, and redaction metadata. Explicit user-memory language is persisted intentionally; tool failure memories are sanitized first. Admin export/import/forget surfaces are disabled unless `AUDREY_ENABLE_ADMIN_TOOLS=1`.
100
100
 
101
- ## Use With Ollama And Local Agents
101
+ At-rest encryption, identity-bound tenant authorization, rate limiting, and regulated retention remain deployment responsibilities today. They are not hidden behind a “production ready” badge.
102
102
 
103
- Ollama runs models; Audrey supplies memory. Start Audrey as a local REST sidecar and expose its routes as tools in your agent loop:
103
+ ## Why a team might actually want this
104
104
 
105
- ```bash
106
- AUDREY_AGENT=ollama-local-agent npx audrey serve
107
- curl http://localhost:7437/health
108
- curl http://localhost:7437/v1/status
109
- ```
105
+ ### Fewer repeated mistakes
110
106
 
111
- Runnable example:
107
+ Guard checks memory at the point where it can change an action, not after the damage is done. Exact failure fingerprints avoid the noisy “one Bash command failed, so all Bash commands are suspicious” behavior.
112
108
 
113
- ```bash
114
- AUDREY_AGENT=ollama-local-agent npx audrey serve
115
- OLLAMA_MODEL=qwen3 node examples/ollama-memory-agent.js "What should you remember about Audrey?"
116
- ```
109
+ ### Continuity across agent sessions
117
110
 
118
- Core sidecar tools:
111
+ Audrey is not tied to one model vendor. Codex and Claude Code use the same memory runtime and the same evidence contract. MCP, REST, JavaScript, and Python clients make the core usable in custom agents too.
119
112
 
120
- | Agent Need | REST Route |
121
- |---|---|
122
- | Check memory before acting | `POST /v1/preflight` |
123
- | Get reflex rules for an action | `POST /v1/reflexes` |
124
- | Store a useful observation | `POST /v1/encode` |
125
- | Recall relevant context | `POST /v1/recall` |
126
- | Get a turn-sized memory packet | `POST /v1/capsule` |
127
- | Check health | `GET /v1/status` |
113
+ ### Evidence a human can inspect
128
114
 
129
- ## What Ships
115
+ Allow, warn, and block decisions carry receipts and evidence IDs. Outcome records connect back to those receipts. Teams can ask not only “what did the agent remember?” but “which memory changed this action, and was that useful?”
130
116
 
131
- | Surface | Status |
132
- |---|---|
133
- | MCP stdio server | 20 tools plus status/recent/principles resources and briefing/recall/reflection prompts |
134
- | CLI | `doctor`, `demo`, `guard`, `install`, `mcp-config`, `hook-config`, `status`, `dream`, `reembed`, `observe-tool`, `promote`, `impact` |
135
- | REST API | Hono server with `/health` and `/v1/*` routes |
136
- | JavaScript SDK | Direct TypeScript/Node import from `audrey` |
137
- | Python client | `pip install audrey-memory`, calls the REST sidecar |
138
- | Storage | Local SQLite plus `sqlite-vec`, no hosted database required |
139
- | Deployment | npm package, Docker, Compose, host-specific MCP config generation |
140
- | Safety loop | preflight warnings, reflexes, redacted tool traces, contradiction handling |
117
+ ### Local control
118
+
119
+ The default store is SQLite, FTS5, and `sqlite-vec`. Local embeddings are the default. Cloud embedding or LLM providers require explicit configuration.
141
120
 
142
- ## Memory Model
121
+ ### A safer shared store
143
122
 
144
- Audrey is built around the parts of memory that matter for agents:
123
+ Agent-scoped recall now continues through validation, contradiction detection, interference, affect, failure lookup, capsules, greetings, Guard, and REST request routing. Hidden retrieval candidates do not reinforce themselves; only memories actually surfaced to the caller receive retrieval bookkeeping.
145
124
 
146
- - Episodic memory: specific observations, tool results, preferences, and session facts.
147
- - Semantic memory: consolidated principles extracted from repeated evidence.
148
- - Procedural memory: remembered ways to act, avoid, retry, or verify.
149
- - Affect and salience: emotional weight and importance influence recall.
150
- - Interference and decay: stale, conflicting, or low-confidence memories lose authority over time.
151
- - Contradiction handling: competing claims are tracked instead of silently overwritten.
152
- - Tool-trace learning: failed commands and risky actions become future preflight warnings.
125
+ Vector candidates are partitioned by agent before nearest-neighbor ranking, so one busy agent cannot crowd another out of a bounded search. For hard tenant boundaries, still use a distinct `AUDREY_DATA_DIR` per tenant or security domain.
153
126
 
154
- The product bet is simple: the next generation of useful agents will not just retrieve facts. They will remember what happened, decide whether a memory is still trustworthy, and use that memory before touching tools.
127
+ ## See it before installing anything
155
128
 
156
- ## Use Audrey From Code
129
+ ```bash
130
+ npx audrey doctor
131
+ npx audrey demo
132
+ npx audrey install --host auto --dry-run
133
+ ```
157
134
 
158
- ### JavaScript
135
+ The dry run prints the MCP and lifecycle-hook configuration for both hosts without changing files.
159
136
 
160
- ```js
161
- import { Audrey } from 'audrey';
137
+ <div align="center">
138
+ <img src="docs/assets/audrey-feature-grid.jpg" alt="Audrey memory continuity, recall, evidence, local storage, and memory-before-action" width="760">
139
+ </div>
162
140
 
163
- const brain = new Audrey({
164
- dataDir: './audrey-data',
165
- agent: 'support-agent',
166
- embedding: { provider: 'local', dimensions: 384 },
167
- });
141
+ ## Where we want to take it
168
142
 
169
- await brain.encode({
170
- content: 'Stripe returns HTTP 429 above 100 req/s',
171
- source: 'direct-observation',
172
- tags: ['stripe', 'rate-limit'],
173
- });
143
+ The ambition is a temporal evidence graph for agents: immutable observations, explicit validity windows, source trust, evolving claims, scoped procedures, and outcome-calibrated policy. The defensible part is not storing more text. It is knowing what was believed, why, in which context, for how long, and whether acting on it helped.
174
144
 
175
- const memories = await brain.recall('stripe rate limit');
145
+ Near-term work includes durable background cognition jobs, tenant namespaces bound to credentials, memory quarantine and taint propagation, public long-horizon evaluations, encrypted backup options, and a persistent local daemon that removes per-hook model startup entirely.
176
146
 
177
- await brain.waitForIdle();
178
- brain.close();
179
- ```
147
+ If that is the kind of agent infrastructure you want to build, open an issue or start with the demo. Audrey is MIT licensed, and the product boundary is intentionally inspectable.
148
+
149
+ ---
150
+
151
+ ## Technical reference
180
152
 
181
- ### Python
153
+ Everything below is the machinery. The short version above is the product.
154
+
155
+ ### Requirements and packages
156
+
157
+ - Node.js 20+
158
+ - npm package: `audrey`
159
+ - Python client: `audrey-memory`
160
+ - Default storage: local SQLite + FTS5 + `sqlite-vec`
161
+ - Default embeddings: local 384-dimensional model
182
162
 
183
163
  ```bash
164
+ npm install audrey
184
165
  pip install audrey-memory
185
166
  ```
186
167
 
187
- ```python
188
- from audrey_memory import Audrey
168
+ For Autopilot, prefer a global or otherwise stable installation. Hook and MCP configuration pins the actual Node executable and Audrey entrypoint; an ephemeral `npx` cache is not a durable production runtime.
169
+
170
+ ### Host configuration
171
+
172
+ Preview or apply lifecycle hooks independently:
189
173
 
190
- brain = Audrey(base_url="http://127.0.0.1:7437", agent="support-agent")
191
- memory_id = brain.encode("Stripe returns HTTP 429 above 100 req/s", source="direct-observation")
192
- results = brain.recall("stripe rate limit", limit=5)
193
- brain.close()
174
+ ```bash
175
+ audrey hook-config claude-code
176
+ audrey hook-config claude-code --apply --scope local
177
+ audrey hook-config claude-code --apply --scope project
178
+ audrey hook-config claude-code --apply --scope user
179
+
180
+ audrey hook-config codex
181
+ audrey hook-config codex --apply --scope project
182
+ audrey hook-config codex --apply --scope user
194
183
  ```
195
184
 
196
- ## Production Readiness
185
+ Claude Code scope mapping follows the host’s terminology:
186
+
187
+ - `local` → `.claude/settings.local.json`
188
+ - `project` → `.claude/settings.json`
189
+ - `user` → `~/.claude/settings.json`
190
+
191
+ Codex supports project `.codex/hooks.json` and user `~/.codex/hooks.json`; it has no local hook scope. Audrey preserves unrelated hooks, replaces older Audrey-owned handlers, writes a private timestamped backup, and is idempotent on repeat installation. Project-adjacent backup names match `*.audrey-*.bak`; keep that pattern ignored because a host config can contain unrelated credentials.
197
192
 
198
- Audrey is close to a 1.0-ready local memory runtime, but production depends on how it is embedded. Treat it like stateful infrastructure.
193
+ Audrey respects `CLAUDE_CONFIG_DIR` and `CODEX_HOME`. Generated hooks pin the stable Node executable, Audrey entrypoint, data directory, agent identity, and non-secret provider choices used at install time. With local embeddings, an Autopilot install performs one warmup so the first real hook is not also the first model load; set `AUDREY_DISABLE_WARMUP=1` to skip it.
199
194
 
200
- Release gates used for this package:
195
+ Generate MCP configuration without applying it:
201
196
 
202
197
  ```bash
203
- npm run release:gate
204
- npm run python:release:check
205
- npm run bench:guard:card
206
- npm run bench:guard:validate
207
- npx audrey doctor
208
- npx audrey demo
198
+ audrey mcp-config codex
199
+ audrey mcp-config generic
200
+ audrey mcp-config vscode
209
201
  ```
210
202
 
211
- Recommended runtime checks:
203
+ Remove Audrey-owned MCP registrations and hooks with the same host and scope you installed:
212
204
 
213
205
  ```bash
214
- npx audrey doctor --json
215
- npx audrey status --json --fail-on-unhealthy
216
- npx audrey install --host codex --dry-run
206
+ audrey uninstall --host auto --scope user
207
+ audrey uninstall --host claude-code --scope local
208
+ audrey uninstall --host codex --scope project
217
209
  ```
218
210
 
219
- Production controls you still own:
211
+ Add `--dry-run` to preview uninstall without changing either host. Add `--mcp-only` only when you intentionally want to preserve Audrey hooks.
220
212
 
221
- - Set one `AUDREY_DATA_DIR` per tenant, environment, or isolation boundary.
222
- - Pin `AUDREY_EMBEDDING_PROVIDER` and `AUDREY_LLM_PROVIDER` explicitly.
223
- - Back up the SQLite data directory before provider or dimension changes.
224
- - Keep API keys and raw credentials out of encoded memory content.
225
- - Use `AUDREY_API_KEY` if the REST sidecar is reachable beyond the local process boundary.
226
- - Run `npx audrey dream` on a schedule so consolidation and decay stay current.
227
- - Add application-level encryption, retention, access control, and audit logging for regulated environments.
213
+ ### Autopilot safety contract
228
214
 
229
- ## Environment Variables
215
+ The shared hook adapter normalizes current Codex and Claude Code payloads.
230
216
 
231
- | Variable | Default | Purpose |
232
- |---|---|---|
233
- | `AUDREY_DATA_DIR` | `~/.audrey/data` | SQLite memory store path. Use one per tenant or agent identity for isolation. |
234
- | `AUDREY_AGENT` | `local-agent` | Logical agent identity stamped on writes. |
235
- | `AUDREY_EMBEDDING_PROVIDER` | `local` | `local`, `gemini`, `openai`, or `mock`. Cloud providers require explicit opt-in. |
236
- | `AUDREY_LLM_PROVIDER` | auto | `anthropic`, `openai`, or `mock`. |
237
- | `AUDREY_DEVICE` | `gpu` | Local embedding device (`gpu` or `cpu`). Falls back to CPU if GPU init fails. |
238
- | `AUDREY_PORT` | `7437` | REST sidecar port. |
239
- | `AUDREY_HOST` | `127.0.0.1` | REST sidecar bind address. Set to `0.0.0.0` only with `AUDREY_API_KEY`. |
240
- | `AUDREY_API_KEY` | unset | Bearer token required for non-loopback REST traffic. |
241
- | `AUDREY_ALLOW_NO_AUTH` | `0` | Set to `1` to allow non-loopback bind without an API key. Don't. |
242
- | `AUDREY_ENABLE_ADMIN_TOOLS` | `0` | Set to `1` to enable export, import, and forget routes/tools. Disabled by default. |
243
- | `AUDREY_PROMOTE_ROOTS` | unset | Colon/semicolon-separated extra roots for `audrey promote --yes` writes. By default writes are restricted to `process.cwd()`. |
244
- | `AUDREY_DEBUG` | `0` | Set to `1` to print MCP info logs (server started, warmup completed). Errors always log. |
245
- | `AUDREY_PROFILE` | `0` | Set to `1` to emit per-stage timings via MCP `_meta.diagnostics`. |
246
- | `AUDREY_DISABLE_WARMUP` | `0` | Set to `1` to skip background embedding warmup at MCP boot. |
247
- | `AUDREY_ONNX_VERBOSE` | `0` | Set to `1` to restore ONNX runtime EP-assignment warnings (suppressed by default). |
248
- | `AUDREY_PRAGMA_DEFAULTS` | `1` | Set to `0` to revert SQLite PRAGMA tuning to better-sqlite3 defaults. |
249
- | `AUDREY_CONTEXT_BUDGET_CHARS` | `4000` | Default Memory Capsule character budget. |
250
-
251
- ## Benchmarks
252
-
253
- Audrey ships three benchmark families.
254
-
255
- ### Performance snapshot
256
-
257
- `npm run bench:perf-snapshot` measures encode and hybrid recall latency at multiple corpus sizes against the in-process mock provider. It reports p50/p95/p99 plus machine provenance so the numbers are reproducible and honest about what they cover.
217
+ - Context injection is bounded by `AUDREY_CONTEXT_BUDGET_CHARS` (default 4000; Autopilot uses a conservative 3200-character packet unless overridden).
218
+ - Prompt and tool retrieval queries are bounded before embedding. Large edits carry hashes and lengths instead of file bodies; exact Guard identity uses a full redacted digest rather than a truncated prefix.
219
+ - Only `Bash`, `Edit`, `Write`, `NotebookEdit`, and `apply_patch` are guarded and observed by the generated default hooks.
220
+ - Pre/post correlation uses `session_id + tool_use_id`, so parallel tool calls do not attach to the wrong receipt.
221
+ - Claude `PostToolUseFailure` and Codex responses that explicitly expose a non-zero exit normalize to the same failure path. Current Codex hooks can omit Bash exit status; Audrey records an opaque result as `unknown`, never as invented success.
222
+ - Context and Guard failures emit `{}` and log to stderr unless fail-closed mode is explicitly enabled.
223
+ - Stop hooks always emit valid JSON and never continue or block a completed turn.
258
224
 
259
- ```bash
260
- npm run build
261
- npm run bench:perf-snapshot # default sizes 100, 1000, 5000
262
- node benchmarks/perf-snapshot.js --sizes 1000,10000 --json # custom shape
263
- ```
225
+ Codex hook interception is a guardrail, not a complete shell-policy boundary. The current host contract does not intercept every richer `unified_exec` path and may omit the exit status of silent Bash failures. See the [Codex hooks documentation](https://learn.chatgpt.com/docs/hooks). Use the Guard receipt as evidence, and keep sandboxing, approvals, CI, and deployment controls in place.
264
226
 
265
- Sample output from `benchmarks/snapshots/perf-0.22.2.json` (24-core Ryzen 9 7900X3D, Node 25.5.0, mock 64-dim embedding, hybrid recall, limit 5):
227
+ ### JavaScript API
266
228
 
267
- | Corpus size | Encode p50 (ms) | Encode p95 (ms) | Recall p50 (ms) | Recall p95 (ms) | Recall p99 (ms) |
268
- |---|---|---|---|---|---|
269
- | 100 | 0.33 | 0.59 | 0.54 | 1.82 | 2.71 |
270
- | 1,000 | 0.31 | 2.15 | 1.57 | 2.36 | 21.18 |
271
- | 5,000 | 0.31 | 1.84 | 2.09 | 3.42 | 16.58 |
229
+ ```js
230
+ import { Audrey, MemoryController } from 'audrey';
272
231
 
273
- These numbers cover Audrey's own pipeline (SQLite + sqlite-vec + hybrid ranking) and exclude embedding-provider cost. Real-world recall p95 with a local 384-dim provider is typically 5-15x higher; with a hosted provider it is dominated by the API round-trip. Run on your own hardware before quoting numbers anywhere.
232
+ const memory = new Audrey({
233
+ dataDir: './audrey-data',
234
+ agent: 'payments-agent',
235
+ embedding: { provider: 'local', dimensions: 384 },
236
+ });
274
237
 
275
- ### Behavioral regression suite
238
+ await memory.encode({
239
+ content: 'Stripe returns HTTP 429 above 100 requests per second.',
240
+ source: 'direct-observation',
241
+ tags: ['stripe', 'rate-limit'],
242
+ context: { service: 'billing' },
243
+ });
244
+
245
+ const capsule = await memory.capsule('increase Stripe throughput', {
246
+ scope: 'agent',
247
+ budgetChars: 3000,
248
+ });
276
249
 
277
- `npm run bench:memory:check` is a release gate. It runs a small set of retrieval and lifecycle scenarios (information extraction, knowledge updates, multi-session reasoning, conflict resolution, privacy boundary, overwrite, delete-and-abstain, semantic/procedural merge) against Audrey and three weak baselines (vector-only, keyword+recency, recent-window) and asserts Audrey doesn't regress. The baseline comparisons exist to catch correctness regressions in retrieval logic, not to make marketing claims.
250
+ const guard = new MemoryController(memory);
251
+ const before = await guard.beforeAction({
252
+ action: 'deploy the billing worker',
253
+ tool: 'Bash',
254
+ command: 'npm run deploy:billing',
255
+ cwd: process.cwd(),
256
+ });
278
257
 
279
- ```bash
280
- npm run bench:memory # full regression suite (writes JSON + report)
281
- npm run bench:memory:check # release gate, exits non-zero on regression
258
+ console.log(before.decision, before.evidenceIds);
259
+ await memory.closeAsync();
282
260
  ```
283
261
 
284
- ### GuardBench comparative suite
285
-
286
- `npm run bench:guard:check` runs Audrey's local GuardBench comparative suite:
287
- ten pre-action scenarios across Audrey Guard, no-memory, recent-window,
288
- vector-only, and FTS-only adapters. The scenarios cover exact repeated
289
- failures, required procedures, changed file scopes, changed commands,
290
- recovered failures, recall degradation, redaction safety, conflicting
291
- instructions, and noisy stores. It writes
292
- `benchmarks/output/guardbench-summary.json`,
293
- `benchmarks/output/guardbench-manifest.json`, and
294
- `benchmarks/output/guardbench-raw.json`. The emitted manifest, summary, and raw
295
- output shapes are validated by JSON schemas under `benchmarks/schemas/`.
296
-
297
- Latest local result in this checkout: 10/10 scenarios passed, 100% prevention
298
- rate, 0% false-block rate, 0 raw secret leaks, 0 published artifact leaks in
299
- the raw-secret sweep, and 2.916ms / 21.17ms
300
- p50/p95 guard latency under the mock-provider methodology.
301
-
302
- **Methodology caveats, on purpose.** All numbers above are produced against
303
- the in-process mock 64-dim embedding provider documented in the run's
304
- `provenance` block. They characterize Audrey's controller and SQLite path,
305
- not real-provider end-to-end latency or production false-positive rates. The
306
- 100% prevention rate is over the 5 GuardBench scenarios that expect a
307
- `block` decision (the suite is 10 scenarios total, mixed across allow / warn
308
- / block). Local baseline decision accuracy was: no-memory 10%, recent-window
309
- 60%, vector-only 40%, and FTS-only 10%; none of the local baselines passed
310
- the GuardBench decision-plus-evidence contract, which since v1.0.1 requires
311
- the correct decision plus at least one returned evidence id for `block` /
312
- `warn` scenarios (no longer Audrey-specific lineage phrasing — see
313
- `CHANGELOG.md#101---2026-05-15`). External-system numbers for Mem0 and Zep
314
- are explicitly out of scope for this Stage-A artifact; live credentialed
315
- runs land in a v2 paper after raw evidence bundles publish.
262
+ ### REST sidecar
316
263
 
317
264
  ```bash
318
- npm run bench:guard
319
- npm run bench:guard:check
320
- npm run bench:guard:manifest
321
- npm run bench:guard:validate
322
- npm run bench:guard:card
323
- npm run bench:guard:bundle
324
- npm run bench:guard:bundle:verify
325
- npm run bench:guard:leaderboard
326
- npm run bench:guard:adapter-registry:validate
327
- npm run bench:guard:adapter-module:validate
328
- npm run bench:guard:adapter-self-test
329
- npm run bench:guard:adapter-self-test:validate
330
- npm run bench:guard:publication:verify
331
- npm run bench:guard:adapter-smoke
332
- npm run bench:guard:adapter-conformance
333
- npm run bench:guard:external:dry-run
334
- npm run bench:guard:mem0 -- --dry-run
335
- npm run bench:guard:zep -- --dry-run
336
- node benchmarks/adapter-self-test.mjs --adapter ./path/to/adapter.mjs
337
- node benchmarks/guardbench.js --adapter ./path/to/adapter.mjs --check
265
+ AUDREY_AGENT=payments-agent audrey serve
266
+ curl http://127.0.0.1:7437/health
338
267
  ```
339
268
 
340
- External GuardBench adapters are ESM modules that export either `default`,
341
- `adapter`, or `createGuardBenchAdapter()`. The adapter receives scenario seed
342
- data and the proposed action, but the harness withholds `expectedDecision` and
343
- `requiredEvidence` until scoring. Start from
344
- `benchmarks/adapters/example-allow.mjs` when wiring a new system. Adapter
345
- authors can import `defineGuardBenchAdapter()` and `defineGuardBenchResult()`
346
- from `benchmarks/adapter-kit.mjs` to validate module shape and decision output
347
- while developing.
269
+ Core routes:
348
270
 
349
- The published adapter registry lives at `benchmarks/adapters/registry.json`.
350
- Run `npm run bench:guard:adapter-registry:validate` to verify registry shape,
351
- adapter paths, and credential-free module loading.
271
+ | Need | Route |
272
+ |---|---|
273
+ | Encode an episode | `POST /v1/encode` |
274
+ | Recall memory | `POST /v1/recall` |
275
+ | Build a context packet | `POST /v1/capsule` |
276
+ | Check before an action | `POST /v1/preflight` |
277
+ | Create a Guard receipt | `POST /v1/guard/before` |
278
+ | Close a Guard receipt | `POST /v1/guard/after` |
279
+ | Consolidate and decay | `POST /v1/dream` |
280
+ | Health and index state | `GET /v1/status` |
352
281
 
353
- Before running the full self-test, validate the ESM module shape quickly:
282
+ Use `AUDREY_API_KEY` for any non-loopback deployment. `X-Audrey-Agent` scopes encode, recall, capsules, preflight, Guard, consolidation, and greetings inside a trusted deployment; it is a routing header, not an authentication boundary. Bind agent/tenant identity at your gateway rather than trusting an arbitrary public header.
354
283
 
355
- ```bash
356
- npm run bench:guard:adapter-module:validate -- --adapter ./path/to/adapter.mjs
357
- ```
284
+ ### Python client
358
285
 
359
- Before publishing a new adapter, run `npm run bench:guard:adapter-self-test --
360
- --adapter ./path/to/adapter.mjs`. The self-test validates the external adapter
361
- contract and row conformance while explicitly allowing low benchmark scores, so
362
- authors can separate "valid submission shape" from "competitive GuardBench
363
- performance." The generated self-test report is validated against
364
- `benchmarks/schemas/guardbench-adapter-self-test.schema.json`. Reviewers can
365
- validate a submitted report without rerunning an adapter through `npm run
366
- bench:guard:adapter-self-test:validate -- --report ./guardbench-adapter-self-test.json`.
286
+ ```python
287
+ from audrey_memory import Audrey
367
288
 
368
- Audrey ships external adapters for Mem0 Platform and Zep Cloud. Run them only
369
- with runtime API keys:
289
+ memory = Audrey(base_url="http://127.0.0.1:7437", agent="payments-agent")
290
+ memory_id = memory.encode(
291
+ "Stripe returns HTTP 429 above 100 requests per second.",
292
+ source="direct-observation",
293
+ )
294
+ results = memory.recall("Stripe rate limit", limit=5)
295
+ memory.close()
296
+ ```
370
297
 
371
- ```bash
372
- set MEM0_API_KEY=...
373
- npm run bench:guard:mem0
298
+ The Python package is a client for the REST sidecar; the memory runtime remains in the Node process.
374
299
 
375
- set ZEP_API_KEY=...
376
- npm run bench:guard:zep
300
+ ### Memory and retrieval pipeline
301
+
302
+ ```text
303
+ episode
304
+ ├─ transactional SQLite + vector + FTS write
305
+ ├─ agent-scoped interference / resonance / validation
306
+ ├─ reinforcement or contradiction evidence
307
+ └─ sleep-time consolidation into semantic or procedural memory
308
+
309
+ query
310
+ ├─ bounded vector candidates
311
+ ├─ FTS5 lexical candidates
312
+ ├─ reciprocal-rank fusion and confidence scoring
313
+ ├─ context / affect / recency / interference modifiers
314
+ └─ final-only retrieval bookkeeping
377
315
  ```
378
316
 
379
- The Zep adapter uses the current REST surface for users, sessions, `memory.add`,
380
- `graph.search`, and benchmark-user cleanup. If Zep graph ingestion needs more
381
- time in a live account, set `ZEP_GUARDBENCH_INGEST_DELAY_MS` before the run.
382
-
383
- Run `npm run bench:guard:external:dry-run` before coordinating credentialed
384
- runs. It walks the runtime-env adapter registry, writes non-secret
385
- `external-run-metadata.json` files for each adapter, and reports which runtime
386
- environment variables are still missing. The external dry-run matrix report is schema-bound by
387
- `benchmarks/schemas/guardbench-external-dry-run.schema.json` and written to
388
- `benchmarks/output/external/guardbench-external-dry-run.json`.
389
-
390
- Run `npm run bench:guard:external:evidence` after dry-runs or live runs to
391
- write `benchmarks/output/external/guardbench-external-evidence.json`. This
392
- external evidence verification report is schema-bound by
393
- `benchmarks/schemas/guardbench-external-evidence.schema.json`, treats dry-run
394
- or missing-key rows as pending in normal release gates, and checks that saved
395
- metadata does not contain runtime credential values. Use
396
- `npm run bench:guard:external:evidence:strict` when Mem0/Zep keys have been
397
- provided; strict mode fails until every runtime-env adapter has a passed live
398
- bundle.
399
-
400
- External runs write `external-run-metadata.json` alongside the GuardBench
401
- summary, manifest, and raw output bundle under
402
- `benchmarks/output/external/<adapter>/`. The external runner validates the
403
- emitted bundle with `benchmarks/validate-guardbench-artifacts.mjs` before
404
- marking the run passed, and separately records adapter conformance so a valid
405
- low-scoring adapter is distinguished from a malformed adapter. When
406
- `external-run-metadata.json` is present, the validator also checks it against
407
- `benchmarks/schemas/guardbench-external-run.schema.json` and verifies any
408
- recorded SHA-256 artifact hashes against the bundle on disk.
409
-
410
- For a shareable submission artifact, run `npm run bench:guard:card -- --dir
411
- <output-dir>`. This writes `guardbench-conformance-card.json` with the subject
412
- name, run status, score, conformance result, artifact hashes, optional
413
- external-run metadata hash, and machine provenance. The standalone validator
414
- checks the card when it is present.
415
-
416
- For a portable submission directory, run `npm run bench:guard:bundle -- --dir
417
- <output-dir>`. This creates `submission-bundle/` with the raw GuardBench
418
- artifacts, conformance card, JSON schemas, validation report, and
419
- `submission-manifest.json` with SHA-256 hashes for every bundled file.
420
- Reviewers can run `npm run bench:guard:bundle:verify -- --dir
421
- <submission-bundle>` to check manifest hashes, bundled schemas, and artifact
422
- validation from the bundle alone.
423
-
424
- For benchmark aggregation, run `npm run bench:guard:leaderboard -- --bundle
425
- <submission-bundle>`. The leaderboard builder verifies each bundle before
426
- ranking and writes JSON plus Markdown reports under `benchmarks/output/leaderboard/`.
427
-
428
- Before publishing benchmark artifacts, run `npm run
429
- bench:guard:publication:verify`. This single benchmark-focused verifier checks
430
- the adapter registry, default adapter module, adapter self-test report,
431
- GuardBench manifest/summary/raw artifacts, submission bundle, external dry-run
432
- matrix, external evidence verification report, leaderboard, and a local
433
- absolute-path sweep over the public artifact set.
434
- The verifier validates its own machine-readable report against
435
- `benchmarks/schemas/guardbench-publication-verification.schema.json` before it
436
- exits.
437
-
438
- Before turning the paper into public posts or submissions, run `npm run
439
- paper:claims`. It validates `docs/paper/claim-register.json` against the
440
- current paper, README, GuardBench artifacts, publication verifier, and external
441
- evidence status so pending Mem0/Zep live-score claims cannot slip into public
442
- copy.
443
- Run `npm run paper:publication-pack` to verify the ready-to-use arXiv, Hacker
444
- News, Reddit, X, and LinkedIn drafts in `docs/paper/publication-pack.json`
445
- before browser-based submission. The X URL reserve is explicit: the first X
446
- post carries `reservedUrlChars: 24`, and submitted artifact-url targets in
447
- `browser-launch-results.json` must record the final `artifactUrl`.
448
- Run `npm run paper:arxiv` to generate a deterministic TeX source package under
449
- `docs/paper/output/arxiv/`, and `npm run paper:arxiv:verify` to check hashes,
450
- citation conversion, bibliography coverage, seeded-secret redaction, and local
451
- absolute-path leakage before arXiv upload.
452
- Run `npm run paper:arxiv:compile` to record a schema-bound compile report at
453
- `docs/paper/output/arxiv-compile-report.json`. It attempts `tectonic`,
454
- `latexmk`, `pdflatex`/`bibtex`, or `uvx tecto` with a local bundle proxy when
455
- available; `npm run paper:arxiv:compile:strict` stays blocked on hosts without
456
- supported TeX tooling.
457
- Run `npm run paper:launch-plan` to verify
458
- `docs/paper/browser-launch-plan.json`, which maps those drafts to manual
459
- browser targets, login/captcha expectations, platform-rule checks, source
460
- URLs, and post-submit URL capture.
461
- Run `npm run paper:launch-results` to validate
462
- `docs/paper/browser-launch-results.json`, the post-submit ledger for arXiv,
463
- Hacker News, Reddit, X, and LinkedIn targets. The normal verifier allows
464
- pending rows with explicit blockers; `npm run paper:launch-results:strict`
465
- fails until every target has a submitted, operator-verified public URL.
466
- Run `npm run paper:bundle` to generate
467
- `docs/paper/output/submission-bundle/`, a hash-manifested package containing
468
- paper sources, claim and publication registers, GuardBench outputs, schemas,
469
- and package metadata. `npm run paper:bundle:verify` checks the manifest and
470
- file hashes before browser upload.
471
- Run `npm run release:readiness` for the pending-aware Audrey 1.0 checklist.
472
- It keeps code/paper readiness separate from publish blockers; `npm run
473
- release:readiness:strict` fails until the 1.0 version surfaces,
474
- source-control state, live remote-head verification, Python artifacts, npm
475
- registry/auth readiness, PyPI publish readiness, arXiv compile proof, browser
476
- publication URLs, and live Mem0/Zep evidence are complete.
477
- Run `npm run release:cut:plan` to preview the exact 1.0 version/changelog
478
- edits across npm, lockfile, MCP, and Python surfaces. `npm run
479
- release:cut:apply -- --target-version 1.0.0` writes those edits only when the
480
- final cut is intentional. The generated changelog section is release-note copy,
481
- not a TODO scaffold; `release:readiness:strict` rejects placeholder changelog
482
- markers before publication.
483
- Run `npm run security:audit` before packaging or publishing; the release gates
484
- call it after artifact verification so production dependency advisories cannot
485
- slip past the final package check.
486
-
487
- ## Command Reference
317
+ Agent-scoped vector search uses a native `sqlite-vec` partition key before nearest-neighbor ranking, not post-filtered whole-store candidates. If fusion underfills, Audrey makes one bounded partition-local retry. Semantic and procedural retrieval counts update only as final results are yielded; deduplicated, over-limit, and unconsumed stream candidates receive no authority boost.
488
318
 
489
- ```bash
490
- # First contact
491
- npx audrey doctor
492
- npx audrey demo
319
+ ### MCP surface
320
+
321
+ Audrey exposes 22 MCP tools plus status, recent-memory, and principle resources and briefing/recall/reflection prompts. The main groups are:
322
+
323
+ - capture: `memory_encode`, `memory_reflect`, `memory_observe_tool`
324
+ - retrieval: `memory_recall`, `memory_capsule`, `memory_greeting`
325
+ - action safety: `memory_preflight`, `memory_guard_before`, `memory_guard_after`, `memory_reflexes`
326
+ - lifecycle: `memory_consolidate`, `memory_dream`, `memory_decay`, `memory_resolve_truth`
327
+ - governance: `memory_validate`, `memory_promote`, `memory_forget`, `memory_export`, `memory_import`, `memory_status`, `memory_introspect`
328
+
329
+ The server also sends host instructions explaining the Guard receipt loop when lifecycle hooks are unavailable.
493
330
 
494
- # MCP setup
495
- npx audrey install --host codex --dry-run
496
- npx audrey mcp-config codex
497
- npx audrey mcp-config generic
498
- npx audrey hook-config claude-code
499
- npx audrey install
500
- npx audrey uninstall
501
-
502
- # Health and maintenance
503
- npx audrey status
504
- npx audrey status --json --fail-on-unhealthy
505
- npx audrey dream
506
- npx audrey reembed
507
-
508
- # Closed-loop visibility
509
- npx audrey impact
510
- npx audrey impact --json --window 7 --limit 5
511
-
512
- # Tool-trace learning
513
- npx audrey observe-tool --event PostToolUse --tool Bash --outcome failed
514
- npx audrey promote --dry-run
515
-
516
- # REST sidecar
517
- npx audrey serve
518
- copy .env.docker.example .env
519
- # edit AUDREY_API_KEY in .env
520
- docker compose up -d --build
331
+ ### Environment variables
332
+
333
+ | Variable | Default | Purpose |
334
+ |---|---|---|
335
+ | `AUDREY_DATA_DIR` | `~/.audrey/data` | SQLite store; use a distinct directory per tenant/security boundary |
336
+ | `AUDREY_AGENT` | host-specific | Logical memory owner used for scoped operations |
337
+ | `AUDREY_EMBEDDING_PROVIDER` | `local` | `local`, `gemini`, `openai`, or `mock` |
338
+ | `AUDREY_LLM_PROVIDER` | auto | `anthropic`, `openai`, or `mock` for reflection/consolidation |
339
+ | `AUDREY_LLM_MODEL` | provider default | Explicit LLM model override |
340
+ | `AUDREY_DEVICE` | `gpu` | Local embedding device; falls back to CPU |
341
+ | `AUDREY_CONTEXT_BUDGET_CHARS` | `4000` | Maximum default capsule size |
342
+ | `AUDREY_AUTOPILOT_SCOPE` | `agent` | `agent` or explicit cross-agent `shared` recall for hooks |
343
+ | `AUDREY_HOOK_FAIL_CLOSED` | `0` | Deny guarded actions when Audrey itself fails |
344
+ | `AUDREY_API_KEY` | unset | Bearer token for REST access |
345
+ | `AUDREY_HOST` | `127.0.0.1` | REST bind address |
346
+ | `AUDREY_PORT` | `7437` | REST port |
347
+ | `AUDREY_ENABLE_ADMIN_TOOLS` | `0` | Enable export, import, and forget operations |
348
+ | `AUDREY_ENABLE_SHARED_SCOPE` | `0` | Allow explicit cross-agent REST recall; admin tools also enable it |
349
+ | `AUDREY_PROFILE` | `0` | Include stage timing diagnostics |
350
+ | `AUDREY_DISABLE_WARMUP` | `0` | Disable MCP embedding warmup |
351
+ | `AUDREY_PRAGMA_DEFAULTS` | `1` | Set `0` to use better-sqlite3 PRAGMA defaults |
352
+
353
+ Provider secrets are never embedded in generated hook commands. `--include-secrets` applies only to MCP registration; prefer host environment injection or a secret manager.
354
+
355
+ ### Production checklist
356
+
357
+ - Give every tenant or hard isolation domain its own `AUDREY_DATA_DIR`.
358
+ - Pin embedding and LLM providers explicitly.
359
+ - Back up the store before provider, dimension, or version migrations.
360
+ - Put the REST sidecar behind authentication and rate limits; do not expose an agent-selection header as identity.
361
+ - Leave REST shared scope disabled unless cross-agent retrieval is intentional and authorized by your own identity layer.
362
+ - Keep credentials and regulated raw content out of encoded memories.
363
+ - Decide retention, deletion, encryption, and audit policy before regulated use.
364
+ - Monitor `audrey status --json --fail-on-unhealthy`.
365
+ - Keep the hook runtime on a stable installed path.
366
+ - Load-test concurrent writers for your topology; SQLite WAL is not a distributed coordination layer.
367
+
368
+ ### Benchmarks and evidence
369
+
370
+ Run the release gates locally:
371
+
372
+ ```bash
373
+ npm test
374
+ npm run bench:memory:check
375
+ npm run bench:guard:check
376
+ npm run bench:guard:publication:verify
377
+ npm run smoke:cli
378
+ npm run pack:check
521
379
  ```
522
380
 
523
- The Node sidecar defaults to `127.0.0.1:7437`. The Docker image intentionally binds inside the container on `3487`, so Compose requires `AUDREY_API_KEY` in `.env` before startup. Override the published host port with `AUDREY_PUBLISHED_PORT` when using Compose.
381
+ GuardBench currently contains ten local, deterministic pre-action scenarios covering repeated failures, procedures, scope changes, recovery, redaction, conflicting instructions, and noisy stores. The checked-in v1 methodology uses a mock 64-dimensional embedding provider and exists to catch regressions. A perfect local pass is not a claim about real-provider latency or production false-positive rates.
524
382
 
525
- ## Documentation
383
+ <!-- guardbench-summary:start -->
384
+ Latest local result in this checkout: 10/10 scenarios passed, 100% prevention rate, 0% false-block rate, 0 raw secret leaks, 0 published artifact leaks, and 3.501ms / 20.658ms p50/p95 Guard latency under the mock-provider methodology.
385
+ <!-- guardbench-summary:end -->
526
386
 
527
- - [Security policy](SECURITY.md)
528
- - [Audrey paper outline](docs/AUDREY_PAPER_OUTLINE.md)
529
- - Public setup, runtime, benchmark, and command guidance is maintained in this README.
387
+ `benchmarks/perf-snapshot.js` measures encode and hybrid-recall p50/p95/p99 at configurable corpus sizes with machine and provider provenance. Run it on the hardware and embedding provider you plan to operate; hosted-provider latency is dominated by its network round trip.
530
388
 
531
- ## Development
389
+ The longer-term public evaluation target includes [LongMemEval](https://arxiv.org/abs/2410.10813), [MemoryAgentBench](https://arxiv.org/abs/2507.05257), and adversarial memory-poisoning cases. Relevant design directions include bitemporal knowledge graphs in [Zep/Graphiti](https://arxiv.org/abs/2501.13956), evolving memory organization in [A-MEM](https://arxiv.org/abs/2502.12110), and sleep-time agent compute in [Sleep-time Compute](https://arxiv.org/abs/2504.13171).
532
390
 
533
- Developer setup runs from source, not from the published tarball, so `npm run build` is required before any CLI subcommand resolves:
391
+ ### Development
534
392
 
535
393
  ```bash
394
+ git clone https://github.com/Evilander/Audrey.git
395
+ cd Audrey
536
396
  npm ci
537
397
  npm run build
538
- npm run lint # ESLint (type-checked typescript-eslint); CI requires it clean
539
- npm run format # Prettier; use `npm run format:check` to verify without writing
398
+ npm run lint
399
+ npm run format:check
540
400
  npm test
541
401
  ```
542
402
 
543
- Once built, the `Quick Start` commands work against the local `dist/` output. Code style and types are enforced: `npm run lint` and `npm run format:check` run in CI (Ubuntu + Windows) and in every release gate, so the baseline cannot regress. The full release gate runs everything CI runs:
403
+ See [CONTRIBUTING.md](CONTRIBUTING.md), [SECURITY.md](SECURITY.md), and [docs/MEMORY_BENCHMARKING.md](docs/MEMORY_BENCHMARKING.md).
404
+
405
+ ### Maintainer release gates
406
+
407
+ These commands are intentionally documented because the paper and release evidence ledger verifies them against the public source tree:
544
408
 
545
409
  ```bash
546
- npm run release:gate
547
- python -m unittest discover -s python/tests -v
410
+ npm run bench:guard:zep
411
+ npm run bench:guard:external:dry-run
412
+ npm run bench:guard:external:evidence
413
+ npm run bench:guard:external:evidence:strict
414
+
415
+ npm run paper:arxiv:compile
416
+ npm run paper:arxiv:compile:strict
417
+ npm run paper:launch-results
418
+ npm run paper:launch-results:strict
419
+
420
+ npm run release:cut:plan
421
+ npm run release:cut:apply
422
+ npm run release:readiness
423
+ npm run release:readiness:strict
548
424
  npm run python:release:check
549
425
  ```
550
426
 
551
- `npm test` uses a repo-local Vitest launcher so locked-down Windows temp
552
- directories do not block test startup. `npm run release:gate:sandbox` remains
553
- available for hosts that block child-process spawning entirely.
427
+ Live Zep runs require `ZEP_API_KEY`; `ZEP_GUARDBENCH_INGEST_DELAY_MS` tunes ingestion settling time. The external dry-run matrix proves adapter shape without credentials, while external evidence verification distinguishes pending runs from verified live evidence.
554
428
 
555
- ## License
429
+ Publication packaging performs an absolute-path sweep, reserves an X URL reserve in social copy, and checks submitted artifact-url targets. Release readiness separately reports source-control state, live remote-head verification, npm registry/auth readiness, and PyPI publish readiness.
556
430
 
557
- MIT. See [LICENSE](LICENSE).
431
+ MIT licensed. Built for agents that should get better at the work without becoming less accountable.