Server data from the Official MCP Registry
Governed agent recall with signed provenance and policy gates. BUSL-1.1; not OSI open source.
Governed agent recall with signed provenance and policy gates. BUSL-1.1; not OSI open source.
Heartwood Memory is a well-designed governed memory system with strong cryptographic foundations and policy-gated recall. The codebase demonstrates good security practices with proper credential handling, environment variable configuration for sensitive parameters, and comprehensive testing. However, moderate concerns exist around managed key custody (server decrypts to serve), reliance on environment variables for security configuration, and implicit trust in principal identity passed via payload in some configurations. The permissions align appropriately with the system's purpose as a secure memory store. Supply chain analysis found 8 known vulnerabilities in dependencies (0 critical, 5 high severity). Package verification found 1 issue.
3 files analyzed · 16 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: HEARTWOOD_DB_PATH
Environment variable: HEARTWOOD_TENANT
Environment variable: HEARTWOOD_MCP_ALLOWED_TOOLS
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-jermayne36-heartwood-memory": {
"env": {
"HEARTWOOD_TENANT": "your-heartwood-tenant-here",
"HEARTWOOD_DB_PATH": "your-heartwood-db-path-here",
"HEARTWOOD_MCP_ALLOWED_TOOLS": "your-heartwood-mcp-allowed-tools-here"
},
"args": [
"heartwood-memory"
],
"command": "uvx"
}
}
}From the project's GitHub README.
Heartwood Memory is a governed memory store for AI agents: provenance-signed audit, policy-gated recall, tenant isolation, and a per-subject key-destruction proof on erasure.
License at a glance. Heartwood Memory 0.2.0 and later is source-available under the Business Source License 1.1 (BSL 1.1), not an OSI "open source" license. Non-production use is free at any size. Small Organizations—fewer than 100 employees and independent contractors and less than $1M in prior-tax-year revenue, as adjusted from 2019 under the license—may also use it in production at no charge. Each version converts automatically to the Apache License 2.0 four years after release. Versions 0.1.0–0.1.2 were MIT-licensed and remain MIT-licensed permanently.
Website · Compare Heartwood · FAQ · PyPI
Governed, source-auditable memory for AI agents, embedded beside your existing systems of record.
Heartwood is a cryptographic trust root for agent memory: every memory is signed, recall runs under policy before ranking, the audit log is hash-chained and tamper-evident, and erasure emits a falsifiable per-subject key-destruction receipt. The package ships as an embedded Python library with governed adapter surfaces that run on your infrastructure.
Honest boundary. Heartwood is managed-key: the server decrypts to serve recall. The receipts below are source-auditable today. Deletion is a per-subject key-destruction workflow, not an instantaneous deletion guarantee. See Key custody and erasure.
python -m pip install "heartwood-memory[recall,mcp]"
Remember a governed memory, recall it under policy, and emit a key-destruction receipt:
from heartwood import Heartwood, Policy, Principal, prove_crypto_erase_path
# 1. Open an embedded, tenant-scoped store.
db = Heartwood(path="./heartwood.db", tenant="tenant:acme")
# 2. Remember. The record is signed and written to a hash-chained audit log.
db.remember(
"Customer 42 is on the Enterprise plan.",
subject="customer:42",
created_by="agent:support",
policy=Policy(classification="internal"),
)
# 3. Recall. Policy gates the candidate set before ranking.
principal = Principal(
id="agent:support",
tenant="tenant:acme",
roles=("support",),
clearance="internal",
)
out = db.recall(
"what plan is customer 42 on?",
principal=principal,
filters={"subject": "customer:42"},
k=5,
)
for hit in out["results"]:
print(hit["content"], hit["provenance"]["signature_valid"])
# 4. Forget. This crypto-shreds the per-subject key and purges derived artifacts.
receipt = db.forget(
"customer:42",
mode="hard",
actor="agent:support",
reason="right-to-erasure request",
)
db.close()
proof = prove_crypto_erase_path(
"./heartwood.db",
tenant="tenant:acme",
root_present=False,
).to_dict()
print(receipt["key_shredded"], proof["content_unrecoverable"])
Keep local artifacts out of Git. This repository's
.gitignoredoes not propagate into downstream repositories. If you run these examples in another checkout, add equivalent ignores there for local Heartwood databases and sidecars, token/config files, root-local JSONL inputs, generated*-report.jsonfiles, and.venv/; alternatively, keep sensitive runtime state under an ignored.heartwood/directory. Keep deliberate fixtures in non-root paths so they remain reviewable.
Want governed memory for an MCP-capable agent instead of a library? See the governed MCP quickstart and the Codex local-stdio quickstart. Write and erase verbs are not exposed by default; operators opt in by naming them explicitly.
Governance you can inspect and re-run at the record level:
| Receipt | What it does | Boundary today |
|---|---|---|
| Signed provenance | Every memory is signed; the signature and content hash are re-verified at read and surfaced on each result. | Re-verified and surfaced, not yet enforced as a hard read failure. |
| Tamper-evident audit | Hash-chained append-only log; verify_chain() detects an in-place edit or dropped row. | Catches in-place tampering; tail-truncation needs an external anchor. |
| Policy before ranking | Recall is restricted to cleared records before ranking; denied records are not scored, returned, or counted. | Source-auditable; multi-tenant-at-scale validation is still in progress. |
| Key-destruction receipt | forget(mode="hard") destroys the per-subject key and purges derived artifacts. | Shows key destruction, not byte-level content deletion. |
| Faithfulness + egress gate | Generated memories fail closed unless they pass a faithfulness check; rejected egress requests block the external-model call. | Explicit override stores a downweighted, review-only copy. |
Run the console script after installation:
heartwood --help
From version 0.2.0, Heartwood Memory is source-available under the Business Source License 1.1 (BSL 1.1) — not an OSI "open source" license. You may read the source, run it locally, develop against it, evaluate it, and self-host it for non-production use at no charge. Small organizations (fewer than 100 people and less than $1M annual revenue) may also run it in production at no charge. Larger organizations need a commercial license for production use. Each version converts automatically to the Apache License 2.0 four years after its release.
Versions 0.1.0–0.1.2 are MIT-licensed and remain so permanently. See NOTICE for details. Commercial support, managed key custody, and hosted services are available separately.
Prove boring trust before building ambitious cognition:
The cognitive database vision should be earned by evidence from these loops.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.