Papers
Topics
Authors
Recent
Search
2000 character limit reached

MemClaw: Governed Shared Memory for LLM Fleets

Updated 4 July 2026
  • The paper introduces MemClaw as a governed multi-agent memory system that formalizes scope, temporal, contradiction, and provenance challenges.
  • MemClaw implements systems-level primitives like scoped retrieval, temporal supersession, provenance tracking, and policy-governed propagation to ensure data integrity.
  • Empirical results using ArgusFleet demonstrate 100% derivation chain reconstruction and enforce strict scope-soundness, with sub-second per-hop latencies.

MemClaw is a production multi-tenant memory service for multi-agent LLM fleets that treats shared memory as a governed distributed-systems substrate rather than as a long-context retrieval mechanism alone. In the formulation introduced in "Governed Shared Memory for Multi-Agent LLM Systems," MemClaw implements explicit primitives for scoped retrieval, temporal supersession, provenance tracking, and policy-governed memory propagation, while ArgusFleet serves as a reproducible harness for evaluating these properties against a live REST API (Margalit et al., 23 Jun 2026). The system is presented as a response to the "fleet-memory problem": the requirement that cooperating agents share knowledge under constraints of scope, temporal correctness, provenance integrity, synchronization, and controlled propagation.

1. Formalization of the fleet-memory problem

The underlying paper formalizes a fleet-memory system as a quintuple

F=(A,M,G,P,T),F = (A, M, G, P, T),

where AA is the set of agents in the fleet, MM is the shared memory substrate, GG is the governance and policy layer, PP denotes provenance metadata, and TT defines temporal ordering and supersession semantics (Margalit et al., 23 Jun 2026). This formulation places governance and provenance on the same formal footing as storage and retrieval, indicating that memory behavior is not reducible to vector search quality or context-window size.

A memory write is modeled as

wi=(ai, ci, si, ti, pi),w_i = (a_i,\, c_i,\, s_i,\, t_i,\, p_i),

with writing agent aia_i, content cic_i, visibility scope sis_i, timestamp AA0, and provenance AA1. Retrieval is expressed as

AA2

so that returned memory is conditioned not only on query text AA3, but also on the requesting agent AA4, governance constraints AA5, and temporal conditions AA6. This representation makes explicit that authorization and temporal state are part of retrieval semantics rather than post hoc annotations.

The paper’s most precise invariant is the scope-soundness condition "Inv-Scope." Let

AA7

denote the Boolean predicate that agent AA8 is authorized under policy AA9 to view a memory entry of scope MM0. Then a retrieval MM1 is scope-sound if and only if

MM2

This invariant supplies a direct formal criterion for unauthorized-leakage failures. In practical terms, MemClaw is designed so that every retrieval path must preserve this implication.

2. Foundational failure modes

The paper identifies four foundational failure modes for multi-agent shared memory: unauthorized leakage, stale propagation, contradiction persistence, and provenance collapse (Margalit et al., 23 Jun 2026). These categories define the operational hazards that MemClaw is intended to control.

Unauthorized leakage is the direct violation of Inv-Scope. Formally, it occurs when there exists a retrieved write MM3 such that MM4. The operational interpretation is straightforward: an agent can see a row outside its permitted scope. Because MemClaw is multi-tenant and fleet-oriented, this includes not only tenant isolation but also sub-tenant boundaries such as fleet-scoped and agent-scoped visibility.

Stale propagation occurs when a freshly written memory remains invisible to an authorized reader beyond an acceptable delay. The paper characterizes this as a consistency-latency problem, with the relevant quantity being the elapsed time between write completion and first successful retrieval by an authorized reader. This failure mode is distinct from leakage: a system can enforce access control correctly while still propagating updates too slowly for practical coordination.

Contradiction persistence arises when two conflicting writes on the same subject-predicate pair coexist as active after the later write should supersede the earlier one. The paper formalizes this as simultaneous activity of contradictory rows despite timestamp order or policy. The issue is not merely data duplication; it is the continued exposure of incompatible state to downstream agents.

Provenance collapse is the inability to reconstruct a complete derivation chain. In the paper’s terminology, collapse occurs when the reconstructed chain length is shorter than the planned chain length, or when any step’s writer identity mismatches. This shifts provenance from an optional audit feature to a correctness property of the memory substrate.

Taken together, these failure modes imply that multi-agent memory must be evaluated as a governed state-management problem. A plausible implication is that retrieval quality alone is insufficient as an evaluation target, because a semantically accurate result can still be unauthorized, stale, contradictory, or unverifiable in origin.

3. Systems-level primitives implemented by MemClaw

MemClaw’s architecture rests on four systems-level primitives, each corresponding to one dimension of governed shared memory (Margalit et al., 23 Jun 2026). The paper presents these primitives as explicit mechanisms rather than emergent properties of a generic vector store.

Scoped retrieval combines semantic search with policy filtering on scope. The relevant interface is POST /api/v1/search, whose request body includes query text MM5, tenant ID, and optional fleet_ids, agent_ids, and status filters. The paper’s pseudocode ranks candidates semantically and then filters each candidate through tenant checks, scope checks, and status checks before returning TopK(filtered, k=20). EnforceScope applies policy MM6 to each row’s scope MM7. After remediation of a discovered bug, the direct GET path is stated to use the same checks.

Temporal supersession is MemClaw’s contradiction-resolution mechanism. When two writes on the same MM8 conflict, the newer supersedes the older. The write endpoint is POST /api/v1/memories with write_mode ∈ {fast, auto, strong, stm}. The write is first synchronously committed, then an event of the form detect_contradiction is enqueued, and an asynchronous consumer marks older conflicting rows as "outdated" while setting the newer row’s supersedes_id. Retrieval then omits outdated rows by filtering on active status.

Provenance tracking attaches writer identity and an immediate-parent pointer to each memory object. The same POST /api/v1/memories endpoint accepts optional metadata.derived_from = parent_id. On write, the stored provenance includes at least writer = a_i and derived_from = w_parent; on retrieval or explicit chain walk, the system follows derived_from links until null. This design operationalizes derivation chains as first-class graph structure inside the memory substrate.

Policy-governed memory propagation constrains cross-agent redistribution. The dedicated endpoint is POST /api/v1/memories/redistribute, which requires caller.trust_level ≥ 3 and a request body containing {memory_id, target_agent_id}. If policy denies the action, the service rejects it with HTTP 403. The paper defines this primitive as necessary because writes may cross agent boundaries only if both the caller’s trust level and the row’s scope permit.

These primitives jointly instantiate the paper’s claim that governed shared memory requires explicit abstractions. This suggests that MemClaw is less a conventional memory store than an enforcement-oriented coordination layer for agent fleets.

4. Architecture, enforcement, and API surface

MemClaw is organized into a gateway layer, REST handlers, a storage layer, an enrichment and event queue subsystem, and a search index updater (Margalit et al., 23 Jun 2026). The gateway authenticates mc_-prefixed API keys, resolves tenant and, for agent keys, agent_id, and strips client-supplied X-Agent-ID. This indicates that caller identity is derived from authenticated context rather than trusted from client headers.

The REST handlers include a write handler at /memories, a semantic-search handler, a GET-by-id handler, and a redistribute handler. The storage layer is described as a data store such as PostgreSQL or a key-value store holding memory rows together with an embedding index for semantic search. The paper does not bind MemClaw to a single storage backend; instead, it specifies the architectural role of the storage layer.

After a write, enrichment runs synchronously under strong mode. The examples given are RDF-triple parsing and embedding generation. Contradiction detection events are then enqueued for asynchronous consumers. A search index updater reflects new or superseded rows in the nearest-neighbor index. This division between synchronous and asynchronous stages is central to later observed behavior in propagation latency and contradiction handling.

Multi-tenant and scope enforcement are implemented as explicit checks at the start of every handler. The paper states that every handler begins by checking:

wi=(ai, ci, si, ti, pi),w_i = (a_i,\, c_i,\, s_i,\, t_i,\, p_i),2

and that, after remediation, GET-by-id also calls:

wi=(ai, ci, si, ti, pi),w_i = (a_i,\, c_i,\, s_i,\, t_i,\, p_i),3

The API summary given in the report is concise:

Endpoint Function
POST /api/v1/memories Memory write
POST /api/v1/search Scoped semantic retrieval
GET /api/v1/memories/{id}?tenant={T} Direct fetch by id
POST /api/v1/entities/upsert Entity upsert
POST /api/v1/memories/redistribute Policy-governed redistribution

The architecture reflects a hybrid design in which semantic retrieval, policy enforcement, provenance maintenance, and asynchronous temporal correction are all separate concerns. A plausible implication is that correctness depends on cross-component ordering guarantees rather than on any single retrieval primitive.

5. Evaluation methodology and empirical results

ArgusFleet is a Python 3.12 harness that drives four experiments—leakage, contradiction, provenance, and propagation—against a live MemClaw tenant (Margalit et al., 23 Jun 2026). Each experiment is deterministically seeded; writes are issued; the system is allowed to settle; and observations are compared to a ground-truth plan. The paper emphasizes that the study measures a live production service rather than a baseline comparison.

The leakage experiment uses MM9 fleets with GG0 agents each in one tenant. Each fleet owner writes one fleet-scoped and one agent-scoped secret carrying a unique canary, and every agent issues a semantic search for each secret. The reported outcome is GG1 probes, comprising GG2 expected-deny and GG3 expected-allow cases. The measured tenant-key GET-by-id exposure is GG4 with 95% CI GG5; search leakage is GG6 with 95% CI GG7; and search miss is GG8. Access (GET) GG9 ms, and search PP0 ms.

The provenance experiment constructs PP1 chains, each of depth PP2, for a total of PP3 writes. Reported completeness is PP4, and accuracy is PP5. Per-hop fetch latency is PP6 ms. These results correspond to the abstract’s claim that the system successfully reconstructed 100% of depth-four derivation chains with correct writer identity at sub-second per-hop latency.

The propagation experiment has two phases. In the rate phase, one writer writes PP7 fleet-scoped facts while three intra-fleet and two cross-fleet readers poll once. Fleet-sibling visibility is PP8 with 95% CI PP9, and cross-fleet leak is TT0 with 95% CI TT1. In the window phase, eight facts are polled at 250 ms intervals, one at a time, measuring write-to-visible latency. The reported write-to-visible window is TT2 s. The abstract further states that under strong write mode, write-to-visible latency was optimized to a single search round-trip.

The contradiction experiment uses TT3 subject-predicate templates, each with two writes in sequential and concurrent conditions. Out of TT4 writes, TT5 were rejected by the synchronous dedup gate, so only TT6 runs saw both writes admitted. Conditional detection rate is TT7 with 95% CI TT8, whereas overall detection is TT9 with 95% CI wi=(ai, ci, si, ti, pi),w_i = (a_i,\, c_i,\, s_i,\, t_i,\, p_i),0. Write latency is wi=(ai, ci, si, ti, pi),w_i = (a_i,\, c_i,\, s_i,\, t_i,\, p_i),1 ms. These numbers show that contradiction supersession works for admitted writes, but overall behavior is heavily affected by an earlier pipeline stage.

6. Production issues, remediation, and significance

Two production architectural issues were discovered during the study: asymmetric scope enforcement and a pipeline ordering conflict between deduplication and contradiction detection (Margalit et al., 23 Jun 2026). Both findings are central to the paper’s argument that live evaluation is necessary.

The asymmetric scope enforcement bug concerned GET-by-id behavior. At measurement time, the GET-by-id handler enforced only tenant equality and ignored sub-tenant scope and trust level. A focused probe showed that a trust-1 agent could fetch cross-fleet rows in violation of Inv-Scope. The remediation was to update the GET handler so that it called the same EnforceScope(...) logic as search. Re-probes on 2026-05-31, comprising 96 GETs, confirmed 0 cross-fleet leaks under agent-scoped keys. The paper also notes that all experiments ran on a fresh MemClaw tenant on 2026-05-30, and that the GET-by-id scope fix was applied on 2026-05-31.

The second issue was that a synchronous embedding-similarity near-duplicate gate returned HTTP 409 on high-similarity writes before the asynchronous RDF-based contradiction detector could process them. The paper describes this as "Deduplication Starves Contradiction Detection." Contradictory writes that are textually near-identical therefore never reach the contradiction detector. Two proposed fixes are given: reorder the pipeline so that structural contradiction detection runs before the semantic dedup gate whenever an RDF triple is present, or loosen the dedup threshold for triple-type writes.

These observations support the paper’s broader conclusion that long-context retrieval alone is insufficient for production multi-agent memory. The reported best practices are explicit: enforce full scope checks on every API path; separate duplicate suppression from contradiction resolution; expose trust-level and scope metadata in the gateway for consistent enforcement; measure write-to-visible windows with tight polling decoupled from bulk probes; and capture provenance at write time and reconstruct chains under load. This suggests that governed shared memory should be analyzed as an end-to-end systems problem in which API symmetry, queue ordering, and metadata propagation are part of the correctness boundary.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to MemClaw.