Local-First & Privacy
By default, memtomem sends your memory data nowhere. Storage, embedding, search, and reranking all run on your machine, and content that looks like a secret is filtered out automatically at the cache, index, and share boundaries.
Fully Local
Section titled “Fully Local”- Storage — The default store is local SQLite (
~/.memtomem/). No network port is exposed. - Embeddings — Embeddings run locally via the built-in ONNX (fastembed) provider. No GPU, no external API, no cloud, and no cost. (Ollama and OpenAI providers are optional.)
- Reranking — When you enable reranking, the default provider is local ONNX (fastembed) — no external API required.
- STM proxy — STM speaks stdio to your AI client; the proxy server itself opens no network port. Persisted stores — the response cache, metrics, and feedback — are all local-only SQLite files under
~/.memtomem/, never remote or shared across hosts. - No account — It works without any login or sign-up.
- The one exception — Content leaves your machine only if you opt into an external provider: OpenAI/Ollama embeddings or reranking, or an external LLM compression/extraction path in STM. On STM’s external-LLM path,
privacy_scan_enabled(default on) scans for credentials before the outbound call and skips it on a hit; turning it off sends raw responses unscanned (the server logs a startup warning).
Filesystem Protection
Section titled “Filesystem Protection”The data directory (~/.memtomem/) is created with 0o700 permissions and its files are written 0o600 (owner read/write only). Separately, the runtime directory that holds the server’s pid/lock files ($XDG_RUNTIME_DIR/memtomem, or /tmp/memtomem-<uid>) is created 0o700 and startup refuses it if group/other access has been left open.
Secret Protection
Section titled “Secret Protection”memtomem blocks credential-, token-, and key-shaped content from flowing into your stores or wider scopes at several points.
- STM sensitive-content detection — Responses containing patterns that look like secrets (e.g.
sk-…,ghp_…, AWSAKIA…, JWTs,BEGIN … PRIVATE KEY) are excluded from the response cache and from being indexed into LTM. - Indexing credential exclusion — LTM indexing applies a built-in credential denylist (
oauth_creds.json,credentials*,id_rsa*,*.pem,*.key,.ssh/**, …). A user!negationpattern cannot re-enable these built-in patterns. - Re-scan on share — When
mem_agent_sharecopies a memory into a wider namespace, the redaction guard re-scans it, and secret-looking content is blocked at share time. - Context Gateway — Writing or moving to the
project_sharedtier (git-tracked) hard-refuses on a detected secret, with no--forcevalve (git history is permanent). Theuserandproject_localtiers allow an override after review.
Query Privacy (STM Surfacing)
Section titled “Query Privacy (STM Surfacing)”STM surfacing extracts a query from each tool call to search LTM. You control how that query text is retained.
MEMTOMEM_STM_SURFACING__PERSIST_QUERY_TEXT=false— Store asha256:<16-hex>digest instead of the raw text.MEMTOMEM_STM_SURFACING__QUERY_RETENTION_DAYS(default30) — Clear raw query text retained in the feedback DB after the given number of days.- Sensitive content (credentials, PII) is always hashed before persistence, regardless of the setting.
- Write-tool skip — Surfacing is automatically disabled for upstream tools that mutate state.
No Lock-In
Section titled “No Lock-In”STM imports your existing MCP servers and proxies them in front — but the move is reversible. mms eject restores an imported server to its original host MCP client config, and only removes the STM entry once the restore is verified.
Trust Boundary & Best Practices
Section titled “Trust Boundary & Best Practices”- STM trusts your local AI client and the upstream MCP servers you configure. Only proxy upstreams you trust.
- The optional surfacing daemon binds to loopback (
127.0.0.1) and authenticates with a per-start random token. Do not pointMEMTOMEM_STM_DAEMON__HOSTat a non-loopback address. - The LTM web UI (
mm web) binds to127.0.0.1by default. - Report vulnerabilities via GitHub security advisory or contact@dapada.co.kr — not public issues.
Related
Section titled “Related”- Environment Variables — full privacy-related settings
- Proactive Surfacing — query privacy and gating
- Context Gateway — per-tier secret blocking
- Multi-Agent Collaboration — redaction on share