Rarity Index logo Rarity Index case study
Start a Project
Back to systems

System Deep Dive

Snapshot: May 2026

Sovereign Stack, private memory infrastructure with ownership boundaries.

Sovereign Stack is the private memory substrate under the agent systems: each agent owns its store, cross-query reads are explicitly read-only, gateway tools expose notes and vector memory without publishing private routes, and canonical facts keep shared truth from becoming shared ownership.

  • ROcross-query
  • OWNstore writes
  • HASHapproval checks
  • SAFEpublic boundary
Sovereign memory ownership diagram showing own-store writes, read-only cross-query, and canonical facts

Proof Surfaces

The public proof shows the shape, not the private cluster.

The source audit found useful evidence, but the old page was publishing too many live operational details. This version keeps the architecture visible and the private memory plane private.

Per-agent sovereign memory boundary diagram
Ownership boundary Per-agent stores, read-only cross-query, canonical facts, and human/lead authority are the stable public claims.
Sovereign gateway surface diagram with notes, vector memory, embedding, and status lanes
Gateway surface The FastMCP gateway proof is grouped by tool categories while endpoint, token, and collection details remain redacted.
Sovereign ETL and retrieval diagram showing exports, normalization, embeddings, and Qdrant upsert
ETL and retrieval Source-backed ingestion accepts conversation exports, memory exports, and transcripts, then embeds and upserts with metadata.
Sovereign Stack system map showing private gateways, memory stores, embedding lanes, and read-only retrieval
System map The system map was cleaned so it no longer publishes exact live tool counts, node counts, or endpoint wording.

Ownership Model

Sovereignty is enforced by storage boundaries, not vibes.

The ADRs define a concrete mental model: agents can look across stores through approved read paths, but they write only to their own memory.

Per-agent stores
  • Each agent maintains its own sovereign memory store.
  • A compromised or confused peer cannot directly corrupt another agent's store.
  • Worker agents are intentionally ephemeral and do not get persistent memory tools.
Read-only bridge
  • Cross-query opens peer stores in database-level read-only mode.
  • Search can span the federation without granting cross-store writes.
  • ACLs and rate limits keep retrieval bounded.
Shared truth
  • Canonical facts provide a shared reference point without merging memories.
  • Blessing workflows include provenance evidence and contradiction checks.
  • Lead Claude or Joe can mark facts authoritative.

Gateway And ETL

The source proves a real memory surface, but the public page keeps the hot details out.

Gateway categories
  • Trilium note tools cover workspace notes, labels, relations, and day notes.
  • Qdrant memory tools cover store, search, list, delete, and gateway health.
  • Emotion and temporal context reads are present as optional context lanes, with availability checks.
  • URLs, tokens, collection names, and live hosts are environment driven and not published.
Retrieval pipeline
  • The ETL accepts Claude exports, memory-service exports, and JSONL transcripts.
  • Records are normalized, hashed for stable IDs, embedded through a BGE-compatible endpoint, and upserted with metadata.
  • Dry-run mode and batch/concurrency controls make ingestion auditable before mutation.
  • The public page talks about the pipeline shape, not private memory contents.

Safety Controls

Writes, truth, and failure modes have named controls.

Approval gates
  • File, Kubernetes, database, and memory mutations require approval.
  • Approval requests include hash verification to prevent bait-and-switch edits.
  • Decisions leave an audit trail.
Circuit posture
  • Cross-query includes health, relationship, review, and circuit-breaker surfaces.
  • Containment can move from normal operation toward read-only, isolated, or full-stop states.
  • Those controls are described without exposing live operational dashboards.
Memory vs MemOS
  • Sovereign Stack is the memory/control substrate.
  • MemOS is the operating system and dashboard/control layer above memory stores.
  • The page keeps those stories separate so neither one blurs into the other.

Public Claim Boundary

Exact counts, nodes, endpoints, and memory totals are intentionally removed.

The old page had useful signal, but it exposed details that drift or should stay private. This version keeps source-backed architecture and demotes live inventory claims.

Verified
  • Accepted ADRs for sovereign stores, read-only cross-query, worker isolation, canonical facts, and approval-gated tools.
  • A FastMCP gateway source file combining note, vector memory, context, and health surfaces.
  • An ETL script for private-memory ingestion into vector retrieval stores.
Reframed
  • Old tool counts and gateway counts became qualitative gateway-surface claims.
  • Old node-specific claims became redacted private-infrastructure wording.
  • Old live memory totals became an ETL/retrieval architecture claim.
Kept private
  • Node names, IPs, hostnames, ports, route paths, tokens, collection names, and memory contents.
  • Private phase notes are summarized only where the public architecture needs context.
  • Dirty source-repo work was used read-only and not committed here.

Stack

FastMCP, Trilium, Qdrant, BGE embeddings, SQLite boundaries, and ADR-backed controls.

  • FastMCP
  • Trilium
  • Qdrant
  • BGE embeddings
  • SQLite read-only
  • Canonical facts
  • Cross-query
  • ETL pipeline
  • Approval gates
  • Worker isolation
  • Gateway status
  • Redacted ops

Need memory to behave like infrastructure instead of a plugin?

That usually means ownership boundaries, retrieval quality, mutation gates, truth workflows, and public/private separation all need design work.

Email Rarity Index