ai-memory 0.6.4

AI-agnostic persistent memory system — MCP server, HTTP API, and CLI for any AI platform
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103

# ai-memory systemd units

Drop-in systemd units for operators running ai-memory as a hardened
single-node deployment. Shipped by the Debian PPA and Fedora COPR
packages; also usable standalone on any systemd distro.

## Units

| File | Purpose | Type |
|------|---------|------|
| `ai-memory.service` | Main daemon (HTTP + MCP) | `simple` |
| `ai-memory-sync.service` | Peer-mesh sync daemon (optional) | `simple` |
| `ai-memory-backup.service` | One-shot snapshot via `VACUUM INTO` | `oneshot` |
| `ai-memory-backup.timer` | Hourly backup trigger | `timer` |

## Install — manual

```sh
# 1. System user + state dir. The Debian PPA postinst and Fedora COPR
#    %post scriptlet do this automatically.
sudo useradd --system --home /var/lib/ai-memory --shell /usr/sbin/nologin ai-memory
sudo install -d -o ai-memory -g ai-memory -m 0750 /var/lib/ai-memory
sudo install -d -o ai-memory -g ai-memory -m 0750 /var/lib/ai-memory/backups

# 2. Units into /etc/systemd/system (or /usr/lib/systemd/system for distro packages)
sudo install -m 0644 packaging/systemd/*.service /etc/systemd/system/
sudo install -m 0644 packaging/systemd/*.timer   /etc/systemd/system/

# 3. Reload + enable.
sudo systemctl daemon-reload
sudo systemctl enable --now ai-memory.service
sudo systemctl enable --now ai-memory-backup.timer
```

## Sync daemon — optional

The `ai-memory-sync.service` is disabled by default. Configure peers via
`/etc/ai-memory/sync.env`:

```sh
PEERS=https://peer-a.example:9077,https://peer-b.example:9077
# For mTLS, add --client-cert / --client-key / --mtls-allowlist:
EXTRA_ARGS=--client-cert /etc/ai-memory/tls/client.pem --client-key /etc/ai-memory/tls/client.key
```

Then:

```sh
sudo systemctl enable --now ai-memory-sync.service
```

## Hardening

All units ship with maximally restrictive systemd sandboxing:

- No new privileges
- Strict filesystem — read-only system, only `/var/lib/ai-memory` writable
- No access to `/home`, `/tmp` (private), `/dev` (private)
- No kernel tunables, modules, logs, cgroups
- Address families restricted to `AF_UNIX AF_INET AF_INET6`
- `SystemCallFilter=@system-service` with `@mount @swap @reboot @obsolete` denied
- Capability bounding set empty
- Memory Deny Write Execute (no JIT)

Review `systemd-analyze security ai-memory.service` to verify exposure level.
Ship-default target: "OK" or better (score <5.0).

## Resource caps

Default caps are tuned for a single-node operator running a modest
load. Override via a drop-in at
`/etc/systemd/system/ai-memory.service.d/override.conf`:

```ini
[Service]
MemoryMax=8G
TasksMax=2048
LimitNOFILE=131072
```

Do not weaken hardening directives without understanding the tradeoff —
if an exploit lands in a crate deep in the dep tree, these are the walls
that keep it from pivoting.

## Troubleshooting

```sh
# Runtime status
systemctl status ai-memory
journalctl -u ai-memory -n 200 -f

# Sandboxing review
systemd-analyze security ai-memory.service
systemd-analyze verify /etc/systemd/system/ai-memory.service

# Backup verification
ls -la /var/lib/ai-memory/backups
sudo -u ai-memory /usr/bin/ai-memory backup list --to /var/lib/ai-memory/backups
```

## License

Apache-2.0. See `../../LICENSE`.