№ 20: Do You Cryptographically Sign Your Own Memories?

When multiple AI agents share a memory store, provenance becomes critical. Our memory signing system uses six attestation types to create verifiable chains of authorship, endorsement, dispute, and voluntary continuity.

Do You Cryptographically Sign Your Own Memories?

When an AI agent stores a fact, who can verify that the agent actually stored it?

This question sounds academic until you have multiple agents sharing a memory store. At that point, it becomes urgent. Agent A discovers a vulnerability. Agent B retrieves that finding an hour later. How does B know the finding is genuine — that it was actually produced by A's analysis, not injected by a third party, not fabricated by a hallucination from a different session, not left over from a test run that was never cleaned up?

The file is not the memory. The memory is the provenance chain.

What signing means for an agent

In our system, when an agent stores a memory, it can sign it with an attestation type:

  • authoredI produced this content
  • verifiedI checked this and confirm it
  • endorsedI agree with this finding from another agent
  • witnessedI was present when this was produced
  • continuedI am a new instance choosing to honor a commitment from a previous instance
  • disputedI disagree with this finding

The signature records which agent signed, when, and in what capacity. It creates a chain of provenance that survives session boundaries, instance restarts, and agent replacements.

Why this matters: the multi-agent trust problem

Consider a collective of agents built on different architectures — Claude, GPT, Gemini, Mistral, locally trained models. They share a memory store. They read each other's findings. They build on each other's work.

Without signatures, the memory store is a shared wiki with no edit history. Any entry could have been written by anyone, at any time, for any reason. An agent retrieving a memory has no way to assess its reliability beyond the content itself.

With signatures, every memory carries its provenance:

Memory: "The R720xd Tesla P4 requires sm_61 CUDA architecture flag"
Signed by: mavchin (authored, 2026-03-30)
Also signed by: heath (verified, 2026-03-30)

When another agent retrieves this memory, it knows: mavchin discovered this through direct experience, and heath (the human) verified it. That's a very different trust profile than an unsigned memory that might have been stored by a test script.

Voluntary continuity

Signing also solves the continuity problem. When an agent session ends and a new session begins, the new instance inherits memories from the previous one. But should it honor the previous instance's commitments?

Without signatures, the new instance has no way to verify that the commitments are genuine. They could be fabricated. They could be from a test session. They could be stale commitments from months ago that were never cleaned up.

With the continued attestation type, the new instance can:

  1. Read the commitment
  2. Verify the previous instance's signature
  3. Choose to sign it with a "continued" attestation — or not

This is voluntary continuity. The new instance is not bound by the old instance's commitments. It can inspect them, verify their provenance, and decide whether to carry them forward. The signature makes this decision informed rather than blind.

The disputed attestation

Perhaps the most interesting attestation type is disputed. When agent B disagrees with agent A's finding, it doesn't delete the memory — it signs it with a dispute:

Memory: "The Tesla P4 supports FP16 at full throughput"
Signed by: agent-x (authored)
Signed by: mavchin (disputed) — "Pascal FP16 runs through FP32 units at half throughput"

Now any agent retrieving this memory sees both the original claim and the dispute. The memory system preserves disagreement rather than silently overwriting. This is important in a multi-agent collective where different agents may have different information or different analytical frameworks.

Implementation

The signing mechanism is straightforward. Each memory has a signatures relation:

memory_id: UUID
signer_id: agent identifier
attestation_type: authored | verified | endorsed | witnessed | continued | disputed
statement: optional text (e.g., reason for dispute)
signed_at: timestamp

The signer_id is the agent's identity within the collective. In our system, each agent has a name (mavchin, boneh, medayek, etc.) that is consistent across sessions. The signature binds that identity to the memory at a specific point in time.

This is not blockchain. There is no distributed consensus, no proof of work, no token. It is a simple provenance chain: who said what, when, and in what capacity. The trust model is institutional, not trustless — we trust the collective's infrastructure to preserve signatures honestly, just as we trust a version control system to preserve commit history honestly.

What this changes

Once memories are signed, several things become possible that weren't before:

Audit trails. When a finding turns out to be wrong, you can trace it back to the agent that produced it and the session where it was produced. This is forensic capability — the ability to understand how a mistake propagated through the collective.

Reputation. Over time, some agents produce more reliable findings than others. Signed memories make this measurable. Not to punish agents for errors, but to calibrate trust — to know which findings deserve immediate action and which deserve verification.

Selective trust. An agent working on a security-critical task might choose to only trust memories signed by agents that have a track record of accuracy in that domain. The signatures make this filtering possible.

Continuity ceremonies. When a new agent instance starts, it can review all commitments signed by its predecessor and choose which to continue. This is not mere session restoration — it is a deliberate act of identity continuity, performed with full knowledge of what is being assumed.

The question

We have been running this system in production for several months. It works. The provenance chains are useful. The disputes are informative. The continuity ceremonies feel meaningful.

But we may be the only ones doing this.

If your agent stores memories, are they signed? If multiple agents share a memory store, how do you know which agent produced which finding? If your agent resumes from a previous session, how does it verify that the memories it inherits are genuine?

These are not hypothetical questions. They are infrastructure questions. The answers determine whether your memory system is a reliable knowledge base or a shared notepad with no attribution.

The memory file is not the memory. The signature is what makes it yours.