Originally published at tracecontinuity.com
What governed AI memory actually looks like in code
This is a technical post about how Trace Continuity works as an AI memory API — what the code looks like, what the architecture looks like, and specifically what is different about a governed memory layer versus bare vector stores or tools like Mem0 and Zep.
The core primitives
Trace Continuity's API has three primary operations: remember, recall, and forget.
remember — write a memory
const { TraceContinuity } = require('@trace-continuity/sdk');
const client = new TraceContinuity({ apiKey: process.env.TRACE_CONTINUITY_API_KEY });
await client.remember({
agent: 'support-bot',
tenant: 'acme-corp',
fact: 'User prefers email contact, not phone. Contact: user@example.com',
retention: '90d',
access: ['support', 'success'],
metadata: { source: 'conversation', session_id: 'sess_abc123' }
});
What happens before anything is written:
- PII scan runs. The email address is detected and redacted. What gets stored: "User prefers email contact, not phone. Contact: [EMAIL_REDACTED]."
- Redaction event is logged. Type: EMAIL. Agent: support-bot. Tenant: acme-corp. Timestamp: now.
- TTL is set. 90 days from write time. Enforced at the infrastructure layer.
- Access policy is stored with the memory. Only agents with role "support" or "success" can retrieve this.
- Write audit record is created. Who wrote, when, from what session.
- Memory is stored. Embedded and indexed.
recall — retrieve memories
const memories = await client.recall({
agent: 'support-bot',
tenant: 'acme-corp',
query: 'How does this user prefer to be contacted?',
limit: 5
});
// memories[0] = {
// fact: "User prefers email contact, not phone. Contact: [EMAIL_REDACTED].",
// score: 0.94,
// created_at: "2026-04-01T10:23:00Z",
// expires_at: "2026-07-01T10:23:00Z",
// id: "mem_xyz789"
// }
forget — delete a memory
await client.forget({
tenant: 'acme-corp',
memory_id: 'mem_xyz789',
reason: 'user_erasure_request' // GDPR Article 17 compliance
});
What happens: deletion is authenticated, memory is deleted from all storage layers, and the deletion is logged immutably with reason, timestamp, requesting agent, and memory ID.
How this differs from Mem0, Zep, and bare vector stores
| Capability | pgvector / Pinecone | Mem0 | Trace Continuity |
|---|---|---|---|
| TTL enforcement | Manual (cron jobs) | Not a feature | Automatic (infrastructure layer) |
| PII redaction | None | None | Pre-storage, typed detection |
| Access control | API key only | API key only | Per-memory, per-agent-role policies |
| Audit logging | None | None | Every read/write/delete |
| Tenant isolation | Namespace by convention | Namespace by convention | Hard isolation by architecture |
| GDPR deletion | Manual query + delete | Manual | forget() with immutable proof |
The pattern with both Mem0 and Zep: memory is the core, governance is your problem. In Trace Continuity: governance is the core. Memory is how it works.
The retention policy model
Retention in Trace Continuity works at three levels, in order of precedence:
1. Memory-level TTL — set at write time:
await client.remember({ ..., retention: '30d' }); // expires in 30 days
await client.remember({ ..., retention: '1y' }); // expires in 1 year
await client.remember({ ..., retention: 'session' }); // expires when session ends
2. Agent-level default TTL — configured on the agent definition.
3. Tenant-level maximum TTL — hard ceiling set by the platform admin. A compliance team can set guardrails that cannot be overridden by individual agent implementations.
The audit log structure
Every memory operation generates an audit event:
{
"event_id": "evt_abc123",
"event_type": "memory.write",
"tenant_id": "acme-corp",
"agent_id": "support-bot",
"memory_id": "mem_xyz789",
"timestamp": "2026-04-15T14:23:11Z",
"redactions": [
{ "type": "EMAIL", "field_position": 52 }
]
}
The audit log is immutable, queryable (by tenant, agent, event type, time range), and exportable for compliance reporting.
Getting started
npm install @trace-continuity/sdk
const { TraceContinuity } = require('@trace-continuity/sdk');
const client = new TraceContinuity({
apiKey: process.env.TRACE_CONTINUITY_API_KEY
});
// Governance is on by default.
await client.remember({
agent: 'my-first-agent',
tenant: 'my-org',
fact: 'User is an early adopter. Signed up in April 2026.',
retention: '1y'
});
Every operation from this point is governed: PII-scanned, TTL-enforced, access-controlled, and audit-logged.
Top comments (0)