Production Deployment

The memory server is a plain HTTP API with no built-in authentication. This is intentional -- every team has different auth infrastructure (OAuth, LDAP, API keys, IAM roles, etc.).

For production deployments with multi-agent teams, you MUST put an authentication layer in front of the memory server. Without it, anyone who can reach the server can read, write, or delete memories.

Recommended Architecture

Agents / Users
      |
      v
+--------------+
| Auth Proxy   |  nginx, API gateway, or your own middleware
| (you provide)|  - authenticates requests
|              |  - enforces role-based access
|              |  - logs all operations for audit
+------+-------+
       |
       v
+--------------+
| CMM Memory   |  binds to 127.0.0.1 (not exposed directly)
| Server       |
+--------------+

Example with nginx

server {
    listen 443 ssl;
    server_name memory.internal.company.com;

    # Your auth (e.g., OAuth2 proxy, mTLS, API key header check)
    auth_request /auth;

    location / {
        proxy_pass http://127.0.0.1:7832;
    }
}

Access Control Recommendations

Role	Allowed Operations
Agent (read/write)	`/ingest`, `/recall`, `/ingest_and_recall`
Agent (read-only)	`/recall`, `/memory/{id}`, `/memories`, `/health`
Team admin	All of the above + `/consolidate`, `/end_of_day`, `/save`
System admin	All of the above + `DELETE` endpoints, `/merge`

Memory Editing (CRUD)

Memories can be read, updated, and deleted through the CRUD endpoints.

View a memory:

curl http://localhost:7832/memory/42

Update a memory (fix wrong information):

curl -X PUT http://localhost:7832/memory/42 \
    -d '{"gist": "The API rate limit is 480 req/min (confirmed by load test)", "importance": 2.0}'

Delete a memory:

curl -X DELETE http://localhost:7832/memory/42

Delete all memories from a specific agent (e.g., an agent that was hallucinating):

curl -X DELETE http://localhost:7832/memories/agent/agent-47

List recent memories (for auditing):

curl "http://localhost:7832/memories?limit=20"
curl "http://localhost:7832/memories?agent_id=agent-47&limit=50"

Audit Trail

Every memory includes agent_id and session_id metadata, so you always know who created what. The HTTP server logs all requests. For full audit logging, configure your auth proxy to log request bodies.

Data Backup

The --data-dir directory contains three files: faiss.index, memories.json, and entities.json. Back these up regularly. The memory server saves automatically on shutdown and optionally at intervals (--auto-save).