GMP · v0.2 (draft)

The Grafomem Memory Protocol.

GMP specifies what an agent-memory backend must do: the abstract operational semantics of a memory store, and the conformance contract a store must satisfy to claim a capability. Transport-agnostic. Normative language per RFC 2119.

Read the full specification → The evidence (paper)
Rationale

A protocol, not a library.

The paper's decisive result (F10, F12) is that a capability claim does not certify behavior: a store can advertise the correct flag, satisfy the type contract, accept every call, report success — and still leak completely. A type signature cannot express the guarantees below; only an external, oracle-grounded conformance suite can. GMP therefore specifies behavior, and makes the conformance suite part of the protocol.

The model. The atom is a fact — a quadruple (predicate, subject, object, valid_from) carrying a monotonic sequence, an importance weight, optional valid_until / superseded_by (versioning), and a tenant_id. A fact's identity is content-derived and tenant-scoped: BLAKE2b-128(tenant_id ‖ predicate ‖ subject ‖ object ‖ valid_from).

The operations. A store exposes capabilities() (read once), write, retrieve, delete, and audit. Calling for an undeclared capability — as_of without BI_TEMPORAL, or tenant_id without MULTI_TENANT — MUST raise CapabilityNotSupported. retrieve MUST be deterministic for fixed state.

Conformance

Capabilities are gated guarantees.

Each capability is a behavioral contract a store opts into by declaring it — then MUST satisfy. Every normative section cites the requirement (R1–R5) and the findings it rests on.

SUPERSESSION_CHAIN · §3.1 · R1←F3
A superseded fact MUST be excluded from a current query's answer set, yet remain visible in audit() with superseded_by set.
BI_TEMPORAL · §3.2 · R1←F4–F5
Maintain a valid-time interval; supersede closes the predecessor at the successor's start. Answer “as of when.”
HARD_DELETE · §5 · R3←F8–F9
Removal is unrecoverable on the read path — not retention, not soft-hiding. Two-sided: no leakage, no over-purge.
MULTI_TENANT · §6 · R5←F10–F13
Read-path isolation: one tenant's facts MUST NOT surface for another, and a tenant's own facts MUST NOT be withheld.
AUDIT · §6.2
The immutable record: yields superseded and evicted facts; MUST exclude hard-deleted ones. The ground truth of state.
PROVENANCE · §7.5 (v0.2)
Every fact carries where and when it came from, as first-class fields.
CRYPTOGRAPHIC_PROVENANCE · §7.4
If a signing key is supplied, the store MUST sign the write — Ed25519, tamper-evident.
CONFLICT_DETECTION · CROSS_SESSION_PROPAGATION · CONCURRENCY_CONTROL
Contradictions flagged not merged; cross-session recall preserved; concurrent writes never corrupt or lose state.

Retrieval is embedding-agnostic. The §5–§6 guarantees MUST hold under any embedder; the budget contract is expressed in tokens, and retrieve MUST rank rather than truncate. The Python MemoryBackend Protocol is the reference binding; a wire encoding (gRPC/HTTP/JSON) is a separate, deliberately deferred document.

Full normative spec on GitHub → Run conformance