Governed memory for AI agents

Agents need memory they can trust.

Heartwood Memory gives AI agents provenance-first recall, policy-enforced retrieval, and deletion you can prove — embedded beside your existing systems of record. Not a new database. Not “unlimited memory.” The control plane in between.

Get startedBecome a design partner

python -m pip install "heartwood-memory[recall,mcp]" · MIT-licensed core · your data stays put

python
from heartwood import Heartwood

hw = Heartwood(path="./heartwood.db", tenant="tenant:acme")

hw.remember(
    "Refunds over $500 require finance approval.",
    subject="policy:refunds",
    created_by="agent:support",
)

# recall under policy — signed, provenance-carrying, tenant-scoped
hits = hw.recall("what's our refund policy?",
                 principal_id="agent:support")
Evidence, not adjectives

Proven by gates you can re-run.

0.812
Typed-router MRR@10

Product-path enterprise retrieval over 56 queries (nDCG@10 0.818).

100%
Provenance coverage

Every recalled memory carries its source chain, model version, and signature.

0
Policy leaks

Zero cross-tenant leakage under adversarial multi-tenant tests.

30/30
Trust gates passing

Retrieval, policy, faithfulness, deletion, egress, and resilience gates.

<500ms
Warm recall p95

Within budget for hook- and agent-loop integration.

0.972
Filter-first MRR@10

Policy-before-ranking vs. 0.000 leakage when filtering after the vector search.

Figures come from executable gates in the Heartwood core (pre-registered thresholds, paired-bootstrap confidence intervals). We publish what is evidenced — and we say plainly when something is directional or still in design.

What makes it governed

Five guarantees other memory layers leave to the prompt.

Memory is typed

Source, episodic, semantic, procedural, profile, and generated memory are distinct kinds — so agents retrieve the right context on purpose instead of treating every chunk the same.

Policy comes before ranking

Tenant, classification, scope, denied subjects, and effective time filter the candidate set before results are ranked. The agent never sees a record it is not cleared for, then relies on a prompt to behave.

Provenance by construction

Every memory is signed at write and re-verified at read. Each recall result carries its source chain, the model version that produced it, and a valid signature.

Generated memory is not canonical

LLM-written summaries stay derived artifacts. They must carry source support and pass faithfulness checks before they become useful, trusted memory.

Deletion you can prove

Crypto-shred erasure follows source-to-memory lineage into projections, indexes, caches, and exports — and leaves a tamper-evident audit record behind.

Who it’s for

For agents where being wrong is expensive.

Built for teams running high-stakes agents over support tickets, customer records, operational Postgres, internal policy and knowledge bases, and compliance-sensitive workflows — teams that already have agents but need stronger answers for provenance, policy, deletion, and auditability.

Regulated support agents

Answer from policy and customer evidence, cite where every claim came from, and prove a deleted customer is gone from derived memory.

Operations & workflow assistants

Carry workflow memory and audit trails across long-running tasks without leaking one tenant’s state into another.

Research & synthesis agents

Produce source-grounded summaries that are gated on faithfulness before they are trusted as memory.

Compliance-sensitive copilots

Keep restricted material behind classification clearance and block unsafe egress to external models — by policy, not by prompt.

The control plane between your agents and your systems of record — not a replacement for your database, and not “unlimited memory.”

The path in

Review, provision, build.

1

Review

Read the docs and the executable proof. Run the trust suite yourself — every governance claim is a gate you can re-run.

2

Provision

Pick a tier and provision a license, or start free and self-host. Keys are issued to your email; your data never leaves your environment.

3

Build

Install the library, point it at your data, and ship agents that retrieve under policy, cite their sources, and prove deletion.

Get startedRead the docs
Pricing

Open-source core. Pay when you need governance backed by a team.

Community

Free
Open-source core, self-hosted

Engineers and teams proving the fit.

  • Embedded library (Python) + MCP server
  • Provenance, typed memory, policy-gated recall
  • Crypto-shred deletion + tamper-evident audit
  • Run the full trust suite yourself
  • Community support
Start free
Most popular

Professional

$6,000/year
Annual prepaid · early access

Teams with compliance pressure shipping to production.

  • Everything in Community
  • Priority support + security advisories
  • Signed releases and rapid patching
  • Policy & subject-partition design review
  • TypeScript SDK parity (early access)
Buy Professional

Enterprise

Let's talk
On-prem + governance support

Regulated organizations with auditors in the room.

  • Everything in Professional
  • KMS/HSM-compatible key custody
  • Custom Postgres / workflow adapters
  • Audit & deletion-policy consulting
  • On-prem deployment + SLA
Contact sales

Professional is annual-only during early access. Enterprise is scoped by conversation and billed by custom quote.

Compare plans in detail

Point it at your hardest agent.

We’re onboarding a small group of design partners shipping high-stakes agents who need real answers for provenance, policy, deletion, and audit. Bring a use case; leave with a plan.

Become a design partnerStart free