Agents need memory they can trust.
Heartwood Memory gives AI agents provenance-first recall, policy-enforced retrieval, and deletion that leaves a key-destruction proof — embedded beside your existing systems of record. Not a new database. Not “unlimited memory.” The control plane in between.
python -m pip install "heartwood-memory[recall,mcp]" · source-available core · your data stays put
from heartwood import Heartwood
hw = Heartwood(path="./heartwood.db", tenant="tenant:acme")
hw.remember(
"Refunds over $500 require finance approval.",
subject="policy:refunds",
created_by="agent:support",
)
# recall under policy — signed, provenance-carrying, tenant-scoped
hits = hw.recall("what's our refund policy?",
principal_id="agent:support")Proven by gates you can re-run.
Product-path enterprise retrieval over 56 queries (nDCG@10 0.818).
Every recalled memory carries its source chain, model version, and signature.
Zero cross-tenant leakage under adversarial multi-tenant tests.
Retrieval, policy, faithfulness, deletion, egress, and resilience gates.
Within budget for hook- and agent-loop integration.
Policy-before-ranking vs. 0.000 leakage when filtering after the vector search.
Figures come from executable gates in the Heartwood core (pre-registered thresholds, paired-bootstrap confidence intervals). We publish what is evidenced — and we say plainly when something is directional or still in design.
Five guarantees other memory layers leave to the prompt.
Memory is typed
Source, episodic, semantic, procedural, profile, and generated memory are distinct kinds — so agents retrieve the right context on purpose instead of treating every chunk the same.
Policy comes before ranking
Tenant, classification, scope, denied subjects, and effective time filter the candidate set before results are ranked. The agent never sees a record it is not cleared for, then relies on a prompt to behave.
Provenance by construction
Every memory is signed at write and re-verified at read. Each recall result carries its source chain, the model version that produced it, and a valid signature.
Generated memory is not canonical
LLM-written summaries stay derived artifacts. They must carry source support and pass faithfulness checks before they become useful, trusted memory.
Deletion that leaves a proof
Crypto-shred erasure follows source-to-memory lineage into projections, indexes, caches, and exports — and leaves a tamper-evident audit record behind.
For agents where being wrong is expensive.
Built for teams running high-stakes agents over support tickets, customer records, operational Postgres, internal policy and knowledge bases, and compliance-sensitive workflows — teams that already have agents but need stronger answers for provenance, policy, deletion, and auditability.
Regulated support agents
Answer from policy and customer evidence, cite where every claim came from, and prove a deleted customer is gone from derived memory.
Operations & workflow assistants
Carry workflow memory and audit trails across long-running tasks without leaking one tenant’s state into another.
Research & synthesis agents
Produce source-grounded summaries that are gated on faithfulness before they are trusted as memory.
Compliance-sensitive copilots
Keep restricted material behind classification clearance and block unsafe egress to external models — by policy, not by prompt.
The control plane between your agents and your systems of record — not a replacement for your database, and not “unlimited memory.”
Review, provision, build.
Review
Read the docs and the executable proof. Run the trust suite yourself — every governance claim is a gate you can re-run.
Provision
Pick a tier and provision a license, or start free and self-host. Keys are issued to your email; your data never leaves your environment.
Build
Install the library, point it at your data, and ship agents that retrieve under policy, cite their sources, and emit a key-destruction proof on deletion.
Source-available core. Pay when you need governance backed by a team.
Community
Engineers and teams proving the fit.
- Embedded library (Python) + MCP server
- Provenance, typed memory, policy-gated recall
- Crypto-shred deletion + tamper-evident audit
- Run the full trust suite yourself
- Community support
Team
Teams taking the trust suite from a laptop to production.
- Everything in Community
- Production recall gateway — serve recall to your app, authenticated & remote (in development)
- Signed release distribution — signed wheels + manifest (in development)
- Supported production deployment config + migration tooling (incl. Postgres)
- Commercial-use license for production
- Email support (no SLA)
Professional
Teams with compliance pressure governing memory at scale.
- Everything in Team
- Multi-tenant at scale — per-tenant isolation & authz (in development)
- Managed KMS/HSM key custody — AWS, GCP, Azure, Vault (in development)
- Signed audit export — auditor-verifiable trail (in development)
- SSO — SAML / OIDC for the control plane (in development)
- Full governed TypeScript SDK — recall parity with Python (in development)
- Priority support, security advisories & SLA
Enterprise
Regulated organizations with auditors in the room.
- Everything in Professional
- On-prem / air-gapped deployment
- Bring-your-own-HSM / customer-managed keys
- WORM audit retention + SIEM streaming
- Custom framework adapters + audit consulting
Team and Professional are in early access — features marked “in development” are on the roadmap, not shipped today, and CTAs route to the design-partner program rather than a live checkout. Enterprise is scoped by conversation and billed by custom quote.
Point it at your hardest agent.
We’re onboarding a small group of design partners shipping high-stakes agents who need real answers for provenance, policy, deletion, and audit. Bring a use case; leave with a plan.