Technical note

Why redaction has to happen before storage.

Draft mockup · 5 min read

If raw agent context becomes the durable artifact, every later permission model is already cleaning up after a mistake. The safer boundary is earlier: redact before persistence.

The raw version should not be recoverable from disk.

Redaction is not a display layer. It is part of the write path.

Write path

Propose

The agent produces a candidate durable takeaway.

Detect

Secrets, PII, and tenant-specific identifiers are matched.

Strip

The stored body receives markers, not raw sensitive text.

Audit

The write records policy metadata without exposing the secret.

Controls

ControlProofState

Secrets

Token-like strings and API keys are removed before any durable write.

live

PII

Email addresses, phone numbers, postal addresses, and SSNs are stripped or marked.

live

Tenant patterns

Customer identifiers can be constrained through tenant-managed rules.

in progress

Why teams feel this quickly

Team memory compounds only when people trust the write path. A single raw customer name, token, or contract detail in shared context makes every later retrieval feel risky, even if the permission model is technically correct.

Safer sharing

Project memories can help the next teammate without exposing the raw session.

Cleaner audits

Admins can inspect the policy that matched without seeing the sensitive value.

Better defaults

Agents learn durable facts while one-off private details disappear early.

Audit evidence

- AMAmbiencememory redactedmemory:checkout-debug5/12/2026, 10:04:03 AM
  Sensitive substrings were removed before the memory was stored.
- AMAmbiencememory proposedsession:checkout-debug5/12/2026, 10:04:00 AM
  A candidate memory was produced from the end of an agent session.